Another concern when dealing with user data is the possibility that it may be executed in PHP code or on the system shell. PHP provides the eval() function, which allows arbitrary PHP code within a string to be evaluated (run). There are also the system(), passthru() and exec() functions, and the backtick operator, all of which allow a string to be run as a command on the operating system shell.

Where possible, the use of all such functions should be avoided, especially where user input is entered into the command or code. An example of a situation where this can lead to attack is the following command, which would display the results of the command on the web page.

echo ‘Your usage log:<br />’;
$username = $_GET['username'];
passthru(“cat /logs/usage/$username”);

passthru() runs a command and displays the output as output from the PHP script, which is included into the final page the user sees. Here, the intent is obvious, a user can pass their username in a GET request such as usage.php?username=andrew and their usage log would be displayed in the browser window.

But what if the user passed the following URL?

usage.php?username=andrew;cat%20/etc/passwd

Here, the username value now contains a semicolon, which is a shell command terminator, and a new command afterwards. The %20 is a URL-Encoded space character, and is converted to a space automatically by PHP. Now, the command which gets run by passthru() is,

cat /logs/usage/andrew;cat /etc/passwd

Clearly this kind of command abuse cannot be allowed. An attacker could use this vulnerability to read, delete or modify any file the web server has access to. Luckily, once again, PHP steps in to provide a solution, in the form of the escapeshellarg() function. escapeshellarg() escapes any characters which could cause an argument or command to be terminated. As an example, any single or double quotes in the string are replaced with \’ or \”, and semicolons are replaced with \;. These replacements, and any others performed by escapeshellarg(), ensure that code such as that presented below is safe to run.

$username = escapeshellarg($_GET['username']);
passthru(“cat /logs/usage/$username”);

Now, if the attacker attempts to read the password file using the request string above, the shell will attempt to access a file called “/logs/usage/andrew;cat /etc/passwd”, and will fail, since this file will almost certainly not exist.

It is generally considered that eval() called on code containing user input be avoided at all costs; there is almost always a better way to achieve the desired effect. However, if it must be done, ensure that strip_tags has been called, and that any quoting and character escapes have been performed.

Combining the above techniques to provide stripping of tags, escaping of special shell characters, entity-quoting of HTML and regular expression-based input validation, it is possible to construct secure web scripts with relatively little work over and above constructing one without the security considerations. In particular, using a function such as the _INPUT() presented above makes the secure version of input acquisition almost as painless as the insecure version PHP provides.

Creating a new Process:

A process is program in execution. It includes

• program code
• application data
• system data including file descriptors, etc.

New processes are created in linux using the fork() system call. A call to fork() will create a completely separate sub-process which will be exactly the same as the parent. The process that initiates the call to fork is called the parent process. The new process created by fork is called the child process.

Linux ‘fork’ duplicates process and copies complete process state:

• program + app data + system data
• including file descriptors,etc.

The two processes then start execution from where fork is returned. The child gets a copy of the parent’s text and memory space. They do not share the same memory. Hence they are two different processes but have identical process statees. Process Id(PID) uniquely identifies a process. Thus parent and child process have different PID. fork() system call returns an integer to both the parent and child processes:

• 0 to Child process
• Positive number(PID of child created) to the Parent process

So from the return value of fork(), the executing process can find out if it is parent or child. Enough theory, lets get into action.
(note: fork() is declared in <unistd.h>)

#include <stdio.h>
#include <unistd.h>
int main()
{
	int pid=-1;
	printf("Starting execution!\n");
	pid=fork();
	if(pid==0){					//if fork returns 0, it is child process
		printf("In child process. pid of child is %d\n",getpid());
		printf("Do child process stuff here\n");
	}
	else if (pid>0) {				//if fork returns +ve number, it is in parent process
		printf("In parent process. pid of parent is %d\n",getpid());
		wait();
		printf("Child finished execution\n");
		printf("Do parent process stuff here\n");
	}
	else {						//if return value is -ve, fork has failed to create new process
		printf("error\n");
	}
	printf("%d is exiting\n",getpid());
	return 0;
}

wait() system call blocks the calling process until one of its child processes exits or a signal is received. Thus parent process waits until child finishes its work. getpid() system call returns the PID of calling process.

Parent forks

After fork, parent and child are identical. Except return values from fork

Since data are different, program execution differs

Running a new Process:

A call to exec() system call, replaces the current process with that of new executable passed to it as an argument. The replaced process undergoes following modifications:

code                 ->   replaced by new program
data                  ->   reinitialised
system data     ->   partly retained

There are different flavours of exec(). We discuss execl() here.

• int execl( const char *path, const char *arg, …);

#include <stdio.h>
#include <unistd.h>
int main()
{
int pid=fork();
if(pid==0){
	printf("In child %d\n",getpid());
	execl("/bin/ls","ls","-l",(char *)0);
	printf("Do child process stuff here");
}
else if (pid>0) {
	printf("In parent %d\n",getpid());
	wait();
	printf("Child finished execution\n");
	printf("Do parent process stuff here\n");
}
else {
	printf("error\n");
}
return 0;
}

Here the child process is replaced with ls. You can notice that “Do child process stuff here” is not printed instead output of ls command is printed out.

O PHP me assusta.

Além de ser fácil e prático, também é uma das linguagens de programação mais completas.

Rodou um tópico no grupo de discussão do php que tratava da execução de comandos e programas no servidor através do PHP. Isso pode ser misturado com o (&) do Linux para você obter uma simulação de threads, executando assim diversos comandos em tarefas separadas.

Pode também ser misturando com o Cron, para assim você ter execuções agendadas. Scripts que executam scripts, scripts que fazem manutenções no banco de dados ou qualquer outra coisa que sua imaginação desejar.

Eu sugiro que você comece pelo manual de execução de programas do PHP. Assim você terá uma visão geral do assunto, porém sempre lembrando que a estrutura e as regras de segurança serão definidas pelo sistema operacional dentro do qual os scripts serão executados.

Isso acontece porque o PHP necessita do interpretador, diferenciando-se do Java que roda dentro de uma máquina virtual.

Logo você irá perceber que há mais de uma forma para realizar essa execução de tarefas, pois algumas funções antigas evoluíram para outras um pouco mais avançadas, mas no final das contas é tudo facilitado pela API do PHP que garante integração e facilidade no call dessas funcionalidades estruturais.

Estude também sobre a função exec(), a mais fácil e simples de todas, na minha opinião pessoal.

Depois, vá avançando

Olha só essa aqui: A função shell_exec(), bem mais completa. Dá pra fazer umas coisas alucinógenas com ela…

Essa função tem um atalho (shortcut) no interpretador do PHP. Se você usar o comando com craze (`) no script PHP, ele tentará ser executado dentro do Shell. Isso dá um problema com safe_mode ativado, mas é só desativar dentro do PHP.ini que fica tudo em casa….

Se você quiser manipular uns processos de execução de comandos com ponteiros de entradas e saídas (ui!!!) tente o proc_open(). É um passo a mais no nível de dificuldade, mas pode ser útil em algumas situações.

Nunca precisei usar, mas é sempre bom saber pra que serve, certo?

um abraço,

Diogo Besson

Förvånas över TV´s prioriteringar. Har varit med om att TV bjudits in till möten med Al Gore, intervjuer med Stephen Odell, presskonferenser om kollektivtrafiken , fullsatt Scandinavium med spännande personer på scen mm mm, men de kommer inte. Idag blir jag kontaktad och tillfrågad om en intervju då jag har deltagit i en julkalender där det ges klimattips i varje lucka och jag är en av tipsarna!!?

Hade ett bra styrelsemöte där vi tog upp ett antal strategiska för handelskammaren framöver. Roligt med en engagerad styrelse och vi har mycket på gång. Kapitalförsörjningsområdet, ungdomsarbetslösheten, 200 000 nya jobb, medlemsnytta, Kina och hållbar stadsutveckling var några av frågorna som diskuterades. Det saknas inte uppgifter för en organisation som handelskammaren.

Avslutade dagen med att deltaga på vår nätverkskväll med Exec, med ca 100 deltagare. Först lyssnade vi till “fiskarpôjken” från Öckerö, Christer Olsson, som höll ett insprirerande föredrag om ledarskap i förändring. Passade bra då samtliga deltagare är unga vd:ar från små och medelstora företag i vår region. Bl a fick vi klart för oss att ett företag behöver både struktur och kultur, samt att kulturen trumfar strukturen. På en 10-gradig skala kan man sätta betyg på dessa olika områden. Har man en 8:a på strukturen och en 6:a på kulturen så blir det 48% effektivitet i organisationen, allt enligt boken “From good to great”. Jag slås av det fantastiska nätverkandet som vi skapar i dessa grupper. Jag fick en hel mängd nya idéer om vår framtida utveckling och alla utbytte tankar, idéer, visitkort, som i slutändan bidrar till fler och bättre affärer som i sin tur ger tillväxt. Anmäl er i något av våra många nätverk, om ni inte redan är med!

As every one knows that Ad hoc dynamic queries are prone to SQL Injection attacks, I am not going to touch that. But there is still some confusion hanging over usage of dynamic sql with in a stored procedure. This is what I thought of blogging about.

Point 1: Using dynamic SQL with in stored procedure are prone to SQL Injection attack.

Other disadvantages of using dynamic SQL includes:

1. Not readable and there for un maintainable code.
2. Execution path is not saved there fore every time a stored procedure is run execution path is calculated again and again.

But there are cases when we might need to use dynamic queries inside a stored procedure. What have to be done in this case?

To demonstrate the sql injection attacks and to give a sample how to avoid this, I created a table named test with just one column [name].

Table Definition

USE [ASPNETDEV]
GO
/****** Object:  Table [dbo].[test1]    Script Date: 10/28/2009 15:14:07 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [dbo].[test](
    [name] [nchar](10) COLLATE SQL_Latin1_General_CP1_CI_AS NULL
) ON [PRIMARY]

Insert the below values in to the table.

insert into test values (‘muthu’);

insert into test values (‘muthu1′);

Case 1: Procedure using static query

create procedure testsi
(@name nvarchar(10))
as
select * from test where [name]=@name

when we execute the above procedure with normal parameters (‘muthu’) it brings just 1 row.

exec testsi ‘muthu’

Now I give a value that introduces SQL injection as below

exec testsi ‘muthu”;drop table test;–’’select * from test;’

When you look in to the value passed to the parameter @name ; you can very well see the SQL injection in the form of ‘’;drop table test;—. As you see, this  just closes the single quote and drops the table test. Well this is sql injection.

But to our surprise executing this does not drop the table and promptly brings in one row.

muthu

Because what we passed is just a value for the column [name] and obviously we don’t have any row in the table [test] with the column [name] having value ‘muthu”;drop table test;–’’select * from test;’

Case 2: Procedure with dynamic Query 

create procedure testsid
(@name nvarchar(1000))
as
declare @sql as nvarchar(1000)
set @sql=’select * from test where [name]=”’ + @name + ””
print @sql
execute (@sql)

The line given in bold is the place where we use dynamic query.

Now lets execute this procedure using our SQL Injection value.

exec testsid ‘muthu”;drop table test;–’’select * from test;’

Opps! Now the table is lost.

when you see the “Messages” tab in the Management Studio to your surprise it will be as follows:

select * from test where [name]=’muthu’;drop table test;–’select * from test;’

(1 row(s) affected)

When you separate the statement using semicolon you will get 2 statements as follows; never mind the third one is commented.

1. select * from test where [name]=’muthu’;
2. drop table test;
3. –’select * from test;’

So this is SQL injection and this doesn’t just disappear if you use stored procedure.

Case 3: Procedure with dynamic query and avoiding SQL injection

However Microsoft has introduced a new way to run dynamic queries from the stored procedure using sp_executesql.

From MSDN:

To execute a string, we recommend that you use the sp_executesql stored procedure instead of the EXECUTE statement. Because this stored procedure supports parameter substitution, sp_executesql is more versatile than EXECUTE; and because sp_executesql generates execution plans that are more likely to be reused by SQL Server, sp_executesql is more efficient than EXECUTE.

 

Please refer to the SQL server 2008 books online to get more information about this sp_executesql.

alter procedure testside
(@name nvarchar(1000))
as
declare @sql as nvarchar(1000)
declare @ParamDefinition nvarchar(500)
set @ParamDefinition = N’@name nvarchar(1000)’
set @sql=’select * from test where [name]=@name’

exec sp_executesql @sql, @ParamDefinition,@name

print @sql

In the above procedure we create a dynamic parameterized  query and we pass the query, the parameter definition and the value for the parameter to sp_excutesql procedure.

exec testside ‘muthu”;drop table test;–’’select * from test;’

Even though we run the procedure with SQL Injection values to our surprise the table test does not get dropped.

But remember just using sp_executesql will not avoid sql injection attacks. It must be used sensibly. For example an example as follows is still susceptible to sql injection.

How not to use sp_executesql?

create procedure testsides
(@name nvarchar(1000))
as
declare @sql as nvarchar(1000)
declare @ParamDefinition nvarchar(500)
set @ParamDefinition = N’@name nvarchar(1000)’
set @sql=’select * from test where [name]=”’ + @name + ””
exec sp_executesql @sql, @ParamDefinition,@name

print @sql

Even though the procedure uses “sp_executesql” it is still prone to SQL injection because it does not use parameterized query.

But there are times when one cannot use parameterized queries, in this case there is no way but to use dynamic query. But in this case one must take extra-ordinary steps to validate the data. This article may help further understanding.

Update:

A live example for sql injection attack: Barackobama.com!

TAYLAN BİLGİÇ
ISTANBUL – Hürriyet Daily News
The wealth of the world is shifting from the west to the east, according to Mike Rees, CEO of wholesale banking at Standard Chartered. ‘Turkey should look east for foreign investment,’ he says, adding that the UK bank most active in Asia, Africa and the Middle East can help it do so. The bank is waiting for regulatory approval to upgrade its presence in Turkey

Mike Rees

‘What we will bring is a unique advantage in helping Turkey look to the east,’ Mike Rees says. ‘This is different from what other European banks can offer.’
The names of many banking giants were engraved in the memories of people everywhere during the global turmoil of the past year, but Standard Chartered Bank, or SCB, a lender with operations in more than 70 countries, is not among those names.

Mike Rees, the chief executive officer of wholesale banking at SCB, said the “boring approach” of “firm focus on the fundamentals of banking” is the reason, but positioning itself in the world’s fastest growing markets also helped. Though based in the U.K., SCB is barely known by the common man in the West, but in Asia, Africa and the Middle East, it is a long-established financial behemoth.

“The tag ‘emerging markets’ was invented by those sitting in the west and looking east,” said Rees, speaking to Hürriyet Daily News & Economic Review on a busy day in Istanbul during the annual summit of the International Monetary Fund and the World Bank Group. “What we are trying to be is the leading international bank in Asia, Africa and the Middle East. That is a broader definition.”

For Rees and SCB, the crisis heralds the rising economic power of the east over west. “All the hard work we have done in the past decade has allowed us to position ourselves in exactly the right place,” he said, smiling.

SCB’s robust growth during the worst days of the crisis – illustrated in a pretax profit of $4.8 billion last year, compared to $4 billion in 2007 – depends much on the bank’s “boring approach,” Rees said. “This is part of our DNA. We got reminded of it through the Asian crisis, which showed the importance of playing to you strength,” he said. “That’s why you haven’t heard much about us in the past year, and that is a good thing.”

SCB’s pretax profit in the first half of 2009 stood at above $2.8 billion.

For Rees, “longevity” lies in the fundamentals of banking. “Banking is a long-term relationship. And we are only successful if our clients are,” he said. “Last year we celebrated 150 years of continuous presence in India and China. This year, we celebrated our 150th year in Singapore and Hong Kong.”

“We focus very hard on our balance sheet and manage it conservatively,” he said. “Globally, we have an assets-to-deposits ratio of 78.4 percent [as of the first half of 2009], which means we have more customer deposits on our balance sheet than customer assets. Probably, it is only HSBC and us that are like that.”

The global financial paradox:

Reflecting on the global crisis, Rees described the key problem as “an increasingly globalized economy supported by a financial industry that becomes increasingly domestic.”

“When I talk to [executives of] multinational corporations, they voice worries about how banks will provide international financing for them,” Rees said. “Because governments that own banks now are forcing them to focus on domestic economies. Thus, a number of things get down squeezed, such as short-term trade finance and access of multinationals to international capital.”

Another dimension is the change the world is going through. “In 10, 20, or 30 years, the east will become increasingly dominant, while the west will become secondary,” Rees said. “Just look at China. They are pouring investments into Africa, especially into commodity-related industries. Indian companies are also investing around the world. There is considerable capital flow out of the Middle East.”

In accordance with such a trend, Rees said Turkey should “look east” for investment, not west. “But bear in mind that your market is the west. But the west does not have money anymore. If you track back and look where big infrastructure investments [to Turkey] are coming from, you will see that this is a sustainable trend.”

As a bridge between east and the west, can Istanbul really become a global financial center, as the government envisages? “Many governments have such plans, as they see an opportunity,” Rees said. “But one has to go back in history for a proper context. Why did London, Shanghai, Hong Kong and Singapore become financial centers? Because they have a heritage of being major global trade centers.”

Financing tends to develop around trade and Istanbul certainly has such a heritage, according to Rees. Thus, he thinks that Istanbul has to “build itself as a logistics and trade city first” and as a financial center next.

Waiting for green light:

SCB’s mantra is to become a “local bank in local markets” in the east, as “over time, four or five local banks dominate 80 percent of any market and foreign banks get squeezed out.” In the west, it aims to be able to “service flows into those markets.”

But in Turkey, the lender is still “in the middle.” SCB has had a presence in Turkey since 1985. In 1990, it had problems and sold some of its branch networks, only to reopen a representative office in December 2003 again. It currently has nine permanent staff based in Istanbul, led by Ethem Tuncel, the CEO of SCB Turkey.

“Turkey sits in the middle for us,” Rees told the Daily News. “We had bids for Oyakbank and Denizbank, but the prices were inflated. [Others] were paying European valuation levels for what is essentially an emerging market.”

“We continue to look for opportunities, but haven’t seen any yet,” he said. “In the meantime, we are pushing hard with regulators to upgrade our representative office to be a branch. In the short term, getting such a license is the alternative strategy.”

After 23 banks went bankrupt during the 2001 crisis, the Banking Regulation and Supervision Agency imposed strict rules on obtaining a license. As years passed, at least five local and some foreign institutions, including SCB, are waiting to obtain such licenses.

“What we will bring is a unique advantage in helping Turkey look to the east,” Rees said. “This is different from what other European banks can offer.”

The Turkish public may not know much about SCB, but this is not the case regarding Turkish banks. “Ask them, they will remember us,” Rees said. “They will remember that through the Asian crisis we never cut our limits with them. SCB supported them in their bad times.”

With a network that covers half of the Muslim world, SCB is also involved in the booming area of Islamic banking products and services. “The secular world also needs it as Islamic banking is a huge opportunity,” Rees said. “The problem with it is that there are no universally accepted rules. There’s no international Islamic banking. You cannot do a [sukuk] issue in Malaysia and sell it in Indonesia, for example. In the absence of a globally accepted set of rules, it essentially is a domestic market.” He said the Islamic board of scholars at SCB “helped Indonesia, Hong Kong and Singapore write their rules.”

Reminded of political concerns in Turkey related to Islamic banking, Rees said this problem exists in other countries, too. “Turkey is not that far out in line, but other countries are moving a bit quicker.”

Although, not a recommended practice, but sometimes we have to write our queries using dynamic SQL. In such situations, it is generally needed to fetch the result (scalar or tabular) of dynamic SQL into the main (non-dynamic) query. This is not straight forward because dynamic SQL runs in its own scope and we cannot access the variables defined in main query. This post presents a few approaches to consume the result of a dynamic SQL query:

sp_ExecuteSql stored procedure

This is the most generic and powerful method of invoking dynamic SQL since it allows us to write a parameterized dynamic query with input/output parameters. Here’s a simple example of using sp_executesql to consume the result of a dynamic SQL query:

declare @today datetime
exec sp_executesql
    N'Select @internalVariable = GetDate()', --dynamic query
    N'@internalVariable DateTime output', --query parameters
    @internalVariable = @today output --parameter mapping
select @today

Table variables and Temporary tables

This method is used when we want to get a tabular result set from our dynamic query. Here’s an example to get the result of a dynamically created SQL query by using table variables:

declare @myTable table
(
    DatabaseName nvarchar(256),
    DatabaseID int,
    CreateDate datetime
)

insert into @myTable
    exec (N'select name, database_id, create_date from sys.databases') --dynamic query

select * from @myTable

Here’s the same example that uses a temporary table to fetch the result set of a dynamic SQL query:

create table #myTable
(
    DatabaseName nvarchar(256),
    DatabaseID int,
    CreateDate datetime
)

insert into #myTable
    exec (N'select name, database_id, create_date from sys.databases') --dynamic query

select * from #myTable
drop table #myTable

Since temporary tables have physical existence so we can refer to the temporary table inside our dynamic SQL query as well. Here’s an example illustrating this technique:

create table #myTable
(
    DatabaseName nvarchar(256),
    DatabaseID int,
    CreateDate datetime
)

--dynamic query
exec sp_executesql
    N'insert into #myTable
        select name, database_id, create_date from sys.databases'

select * from #myTable
drop table #myTable

Temporary tables or Table variables can also be used to fetch the result of a stored procedure. Notice that for saving this result, the columns of table variable/temporary table must match with the result of stored procedure. That is, we need to take “ALL” the columns. Here’s an example that grabs the result set from a stored procedure into a table variable.

declare @myTable table
(
    ServerName nvarchar(256),
    NetworkName nvarchar(256),
    Status nvarchar(4000),
    ID int,
    Collation nvarchar(256),
    ConnectTimeOut int,
    QueryTimeOut int
)

insert into @myTable
    exec sp_helpserver

select * from @myTable

Also, here’s an example to get result of a stored procedure using temporary table:

create table #myTable
(
    ServerName nvarchar(256),
    NetworkName nvarchar(256),
    Status nvarchar(4000),
    ID int,
    Collation nvarchar(256),
    ConnectTimeOut int,
    QueryTimeOut int
)

insert into #myTable
    exec sp_helpserver

select * from #myTable
drop table #myTable

Thats all from me. Let me know if you have any more solutions.

Uma dica rápida pra quem está tentando executar um arquivo .bat usando o php. Dê permissão ao usuário do apache ou IIS para executar o cmd.exe, feito isso, chame o seu bat usando como ponte  prompt de comando: exec(“cmd.exe \c arquivo.bat”)

Lembre-se que seu script batch não deve ter interação com o usuário

Abrasss

Ende Juli veröffentlichte ich das Skript “findgrep”, das mit Hilfe von “find” und “grep” Verzeichnisse rekursiv nach Textmustern durchsucht.

Lizenz:Creative Commons Attribution ShareAlike 3.0; (click pic for details)

Der dazu erschienene Artikel (samt Skript für die bash) hat sich inzwischen zu einem der meistaufgerufenen Artikel  dieses Blogs gemausert. Auch bei den Suchanfragen, über die dieses Blog gefunden wird, stehen Ausdrücke wie “find und grep rekursiv” oft ganz oben auf der Hitliste. Bevor ich das Skript zusammengeschustert hatte, war ich auch eine gute Weile mit Recherche beschäftigt, ohne auf die Schnelle eine passende Lösung zu finden.

Deshalb habe ich das Skript in den letzten Wochen auf meinem Klapprechner  überarbeitet. Das Resultat, “findgrep Version 0.2″ kann weiter unten heruntergeladen werden.

findgrep v 0.2: Verzeichnisse rekursiv nach Text durchsuchen

Verbesserungen:

• Die gefilterten Ergebnisse werden ja in einer Textdatei (Variable $SAVEFILE) gespeichert. War diese Datei jedoch unterhalb des Suchverzeichnisses angesiedelt, suchte sich findgrep einen Wolf, da es die bereits gefundenen Ergebnisse erneut als Treffer anzeigte. Dieser Bug wurde behoben.
• Bisher musste der Nutzer nach jedem Start des Programms den Suchpfad angeben. Zusätzlich hat der Nutzer nun die Möglichkeit, durch “ENTER” das Standardverzeichnis zu bestätigen (Standard: /var/log)  Zum Ändern einfach die Variable $SEARCHDIR im Skript anpassen.
• Sowohl bei der Auswahl als auch bei der Präsentation der Ergebnisse wurde das Programm grafisch anschaulicher aufpoliert
• findgrep zeigt nun die Anzahl der gefundenen Matches an

findgrep: Suche nach "warning" in /var/log beendet ...

Download findgrep v 0.2: Bitte hier klicken und mit copy und paste holen. Rechtsklick und “Speichern unter …” funktioniert nicht.

Das Skript ist für Ubuntu getestet. Manche Versionen von grep kennen die Option “color” nicht und brechen das Skript mit Fehlermeldung ab. Äh, ach ja: Der nette junge Herr oben bin nicht ich. Ich fand das Bild nur passend zum Thema und habe es auf Wikimedia gefunden.

Alle findgrep Artikel

Bob Kruse, who recently led a critical Chevrolet Volt team and devised the automaker’s long-term electric vehicle strategy, has resigned months before the vehicle’s debut.

Kruse’s resignation, effective today, comes at a crucial time for General Motors Co., which is banking on the Volt to change public perceptions of the company and also help meet

Source:
http://detnews.com/article/20090930/AUTO01/909300326/GM-s-top-electric-car-exec-quits

THE ANZ Bank has recruited veteran banker Phil Chronican to drive the Australian strategy of the bank in a hiring coup that has been described as a “an adrenalin shot” that will boost momentum for the domestic banking business.

Mr Chronican, 52, left Westpac in June after a 27-year career at the bank that ended after Gail Kelly beat him to the chief executive position after his close ally David Morgan retired. He was Westpac’s head of institutional banking, after previously serving as chief financial officer.

Mr Chronican will become the Australian chief executive of ANZ reporting directly to chief executive Mike Smith, and fills the void left when Brian Hartzer defected to be head of retail banking at the Royal Bank of Scotland earlier this year.

Mr Chronican will start his job in November. He is understood to have been on a short list of three for the position.

“I have had my eye on him for some time,” Mr Smith said.

“I have known Phil a long time and he will be the right sort of mix for our organisation.

“We have rebuilt the management team and I just felt that he would fit very well.”

Mr Chronican’s appointment to a primarily retail banking position has surprised some observers, given his most recent focus on institutional business.

But Mr Smith said Mr Chronican had a diversity of experience, after working across the banking spectrum at Westpac.

“At Westpac he was primarily involved in corporate and institutional banking but he has been a long-term banker,” he said.

“He has come up through the retail side, through the corporate side, through the finance side. He is like me, he has done a bit of everything.”

One of Mr Chronican’s first duties will be to increase ANZ’s share of the new mortgage market, which along with traditional rival NAB, has ground to a halt.

Westpac and CBA now account for almost 70 per cent of all new home loans.

UBS analyst Jonathan Mott said Mr Chronican’s appointment was a good move that would help reinvigorate ANZ’s retail business and distribution networks that could improve the mortgage market share.

“Phil brings with him a reputation as one of Australia’s leading bankers following his extended career at Westpac,” Mr Mott said.

“We believe that his skills and experience will provide an adrenalin boost to ANZ’s Australian operations which have lost momentum in recent times since the exit of Brian Hartzer.”

The market is starting to pay attention to ANZ’s strategy of diversifying its business geographically by focusing on growth in Asia and has given the thumbs up to its $1.9 billion purchase last week of wealth management business ING, but the Australian retail business is generally perceived as the group’s weak spot.

ANZ has market share of about 13 per cent in retail banking.

With Mr Chronican now named, the last major executive Mr Smith has to fill a team it has taken almost two years to build is the ANZ chief information officer.

THE ANZ Bank has recruited veteran banker Phil Chronican to drive the Australian strategy of the bank in a hiring coup that has been described as a “an adrenalin shot” that will boost momentum for the domestic banking business.

Mr Chronican, 52, left Westpac in June after a 27-year career at the bank that ended after Gail Kelly beat him to the chief executive position after his close ally David Morgan retired. He was Westpac’s head of institutional banking, after previously serving as chief financial officer.

Mr Chronican will become the Australian chief executive of ANZ reporting directly to chief executive Mike Smith, and fills the void left when Brian Hartzer defected to be head of retail banking at the Royal Bank of Scotland earlier this year.

Mr Chronican will start his job in November. He is understood to have been on a short list of three for the position.

“I have had my eye on him for some time,” Mr Smith said.

“I have known Phil a long time and he will be the right sort of mix for our organisation.

“We have rebuilt the management team and I just felt that he would fit very well.”

Mr Chronican’s appointment to a primarily retail banking position has surprised some observers, given his most recent focus on institutional business.

But Mr Smith said Mr Chronican had a diversity of experience, after working across the banking spectrum at Westpac.

“At Westpac he was primarily involved in corporate and institutional banking but he has been a long-term banker,” he said.

“He has come up through the retail side, through the corporate side, through the finance side. He is like me, he has done a bit of everything.”

One of Mr Chronican’s first duties will be to increase ANZ’s share of the new mortgage market, which along with traditional rival NAB, has ground to a halt.

Westpac and CBA now account for almost 70 per cent of all new home loans.

UBS analyst Jonathan Mott said Mr Chronican’s appointment was a good move that would help reinvigorate ANZ’s retail business and distribution networks that could improve the mortgage market share.

“Phil brings with him a reputation as one of Australia’s leading bankers following his extended career at Westpac,” Mr Mott said.

“We believe that his skills and experience will provide an adrenalin boost to ANZ’s Australian operations which have lost momentum in recent times since the exit of Brian Hartzer.”

The market is starting to pay attention to ANZ’s strategy of diversifying its business geographically by focusing on growth in Asia and has given the thumbs up to its $1.9 billion purchase last week of wealth management business ING, but the Australian retail business is generally perceived as the group’s weak spot.

ANZ has market share of about 13 per cent in retail banking.

With Mr Chronican now named, the last major executive Mr Smith has to fill a team it has taken almost two years to build is the ANZ chief information officer.

NEW YORK (AP) — The New York Times Co. issued an unusual correction Friday to fix a mistake that indicated the newspaper publisher’s board of directors didn’t know the company’s rules governing executive compensation.

The admission involved stock option awards and other incentives handed out in the past 19 months to Janet Robinson and Arthur Sulzberger Jr., the Times Co.’s top two executives. In addressing the problems, the company took steps to ensure both Robinson, the company’s chief executive, and Sulzberger, its longtime chairman, will still have a chance to make almost as much money as the board originally intended.

Nashville-based prison operator CCA will get new CEOHeritage Oil up on talk of Shell making bid

Idag hade vi ett internt möte om hur vi kan öka medlemsnyttan, bl a genom att bli mer glokala. Det innebär att de rapporter vi tar fram inom det politiska området skall vara möjliga att bryta ner på regional nivå. Det innebär att fakta kan användas för Sjuhärad, Skaraborg och Fyrbodal. Jag tror att vi även skulle kunna ha fler medlemsmöten i aktuella frågor. Ytterligare en idé är att “turnera” med ett antal av våra kompetenser, så att vi lokalt kan stödja och hjälpa till med att utveckla lokala företag. Inte minst sprida vilka kompetenser som finns inom handelskammaren. Vi ska testa ett antal olika nya grepp så får vi utvärdera det efteråt, inga fler utredningar….från ord till handling!

Hade möte med två av våra duktiga mentorer imorse. Två härliga entrepenörer som har varit med och startat och utvecklat många företag. Fantastiska personer som är goda inspiratörer för våra nätverksdeltagare i Exec. Vi har en mentor på en grupp av 10-12 personer och med så bra mentorer är jag övertygad om att dessa personer utvecklas och får nya värdefulla kontakter.

Utredningen om höghastighetståg kom idag. Intressant att utredaren Malm föreslår tåg som går över 300 km/timme, mellan Stockholm-Göteborg/Malmö. För oss är länken mellan Göteborg-Jönköping via Landvetter flygplats och Borås viktigast. Trist att det ska ta så lång tid innan utbyggnaden är färdig. Sverige är för långsamma!

Twitter is really trying to become the company that everyone has it pegged to be, or at least it seems that way by their hiring tactics as of late. While the media daily predicts the emergence / unfettered growth / imminent doom of the micro-blogging service daily (are you sick of it yet?) Twitter goes about its merry way showing signs of brilliance (rapid growth) and signs of “WTF?!” (outages).

The latest attempt to move to the next level, according to TechCrunch, is the hiring of Feedburner co-founder and CEO Dick Costolo as the new COO of Twitter. Costolo left Google in July after spending enough time with Feedburner’s new owners to watch them drop the ball. What makes this hire significant (aside from Costolo being an early investor in Twitter) according to TC’s Michael Arrington is

Costolo, who is also an early Twitter investor, is someone who has actual experience building scalable infrastructures, which Twitter sorely needs. The company hasn’t launched any new features in recent memory, and continues to have regular downtime. In fact, Twitter’s inability to build features and keep the service live is a serious competitive disadvantage. Costolo can presumably fix all that.

So here we are living out another day in the never ending soap opera of hope and flame-outs that is Twitter. From the confusion of “How does thing work for business?” to the predictions that the service is woefully undervalued and underhyped and all stops in between, everyone wants in on the Twitter phenomenon. Fortunately, it looks like Twitter is taking notice as well by hiring the likes of Costolo. They recently hired Google’s top legal ace as well.

So Twitter is still busy in the background trying to get the right people on the bus. Stay tuned as something is likely to change or be predicted in the next 15 seconds or so that will keep everyone busy for another short period of time.

Social Media Monitoring in Just 60-Seconds. Guaranteed!

I just found an interesting bug, so I thought it might be worthwhile to share it with these intertubes to prevent other people from making the same mistake.

I was just transferring some more music onto my iPhone with Amarok while at the same time listening to music. I wanted to listen to a particular track (from a Moby album I bought recently), so stopped and switched to that, but Amarok would not play it and complained about the sound device being busy. This seemed rather odd as it had just been playing fine until I tried to change tracks. Wanting to get to the bottom of this, I checked who had what open:

andrew@rata:~$ sudo lsof /dev/snd/*
lsof: WARNING: can't stat() fuse.sshfs file system /media/iphone
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
timidity 4162 root 6u CHR 116,1 4973 /dev/snd/seq
kmix 4511 andrew 10u CHR 116,0 5260 /dev/snd/controlC0
ssh 5605 andrew 16u CHR 116,0 5260 /dev/snd/controlC0
ssh 5605 andrew 33r CHR 116,33 4954 /dev/snd/timer
ssh 5605 andrew 39u CHR 116,16 5236 /dev/snd/pcmC0D0p
ssh 5605 andrew 41u CHR 116,0 5260 /dev/snd/controlC0
sshfs 5609 andrew 16u CHR 116,0 5260 /dev/snd/controlC0
sshfs 5609 andrew 33r CHR 116,33 4954 /dev/snd/timer
sshfs 5609 andrew 39u CHR 116,16 5236 /dev/snd/pcmC0D0p
sshfs 5609 andrew 41u CHR 116,0 5260 /dev/snd/controlC0

I should point out at this point that the way I get Amarok to sync music to my (jailbroken) iPhone is to FUSE-mount the iPhone via SFTP over the network, so that is why SSH was running. But on with the story.

SSH had my sound device open‽ What? That seemed very odd. I wondered whether perhaps there was some new SSH feature I had not heard about to forward sound over the network connection (as it can do for GUI applications using X11), but there I could find no mention of such a feature in the manpage or via Google, nor any possible reason why it might want to open a sound device. I asked lorne, and he was equally confused, but suggested a few things to check.

After a bit of poking around I discovered that I could not replicate this behaviour by mounting the filesystem myself, only when Amarok did it. This prompted a realisation of what must be happening: when Amarok launches sshfs to mount the iPhone filesystem, it presumably does a fork and exec to start the new process. But when you do this, the new process inherits all the open file handles of the parent process. Amarok of course had the sound device open to play the music I was listening to originally, so sshfs and subsequently ssh ended up with the same device file open. Amarok must then have closed it and tried to reopen it when I switched tracks, and this failed because the other processes it had launched still had it open. Of course.

So, lesson of the day: when you fork, remember to close any excess files before you exec. Especially if they are device files or other special files.

I should probably file a bug report for Amarok, but I am not sure that I can be bothered.

STEVE Targett came to the ANZ Bank with a strong international banking pedigree and hopes of becoming the bank’s next chief executive.

Instead, the career banker left the institution just three years later with his reputation shredded and his corporate career in Australia virtually finished.

“You Google my name and it’s all there,” Targett says in his first interview since his bitter exit from the bank on June 7, 2007. “It’s something I have to live with but it just seems unfair.

“ANZ are first class at spinning issues to the media.

“It’s pretty much impossible for me to get a job in Australia, which may or may not be a bad thing.”

Targett is now in the fight of his life to save his reputation, locked in a multi-million-dollar legal battle with ANZ.

“You take on a big organisation and the largest legal firms won’t touch you,” he told The Australian. “Most global search firms won’t touch you and so on, because ANZ are a big, important wallet to them.

“It’s a very lonely place at the moment. I’ve taken on a very tough path.”

Targett is suing ANZ for allegedly misleading and deceptive conduct and breach of contract.

He claims the bank misled him about the state of the institutional business and that he was lured away from a top job in Britain with the alleged promise he might succeed former ANZ chief executive John McFarlane. Targett missed out on the chief executive role, which went to HSBC Asia-Pacific boss Mike Smith, who joined after Targett left.

His departure from ANZ in June 2007 was bittersweet. Only a few weeks later Targett’s son Matt was competing in Australian swimming events in his quest to go to the Olympic Games.

For two years Targett has stayed silent about his unceremonious departure. He is now ready to tell his side of the story.

Targett describes ANZ’s culture as “a little too collaborative”, “clubby” and “lacking discipline”.

From the outside, ANZ appeared to be hitting all the right notes. At the time, it was the darling of the banking sector, delivering stunning profit numbers year after year.

But Targett offers a different perspective.

“I felt that going into an economic downturn, the culture at ANZ would have been a problem, because it was an ill-disciplined business culture,” he says. “Lots of meetings, lots of talk, lots of people feeling good about each other. Not enough discussions on clients, deals and competitors.

“I just felt it lacked a little bit of a hard edge, but you weren’t popular for saying that.”

For Targett, the career-ending moment came on April 26.

McFarlane let it be known publicly that he was unhappy with the performance of the institutional business. Handing down his final interim profit, McFarlane said the result would have been an “absolute stunner” if not for an inferior performance by the institutional division.

“At the time I knew my career at ANZ was over,” Targett says, but adds that ANZ chairman Charles Goode remained supportive.

Targett is keen to set the record straight on a number of facts. For one, he insists he was not sacked.

Targett claims he initiated the separation, and sought to leave the bank on terms he claims had been agreed to before he joined ANZ.

He also defends the performance of the institutional business under his watch, saying that on average he “exceeded the net profit-after-tax target that was given to me on a stretch basis over the three-year period, without any new investment in the business”.

Targett says McFarlane didn’t see him as ANZ’s next chief executive, and they had “very different leadership styles”.

“He probably knows that I would have changed a lot of things that he did, whereas — and this is only a guess — he would have preferred Brian Hartzer as his internal replacement,” Targett says. “I think he saw Brian as a better candidate and a smoother transition.”

McFarlane and Targett differed over more than just banking matters. “You’ve read in the press (that) John liked things like feng shui,” Targett says. “He loved that sort of stuff. I guess I am a different person. It worked for him but it wasn’t for me.

“I didn’t need to see the feng shui consultant come around and put little elephants in the corner of my office and tell me to give money to 10 beggars in 10 days and the like, otherwise I would have bad luck. I’m not that sort of person.”

Had he ascended to the top job at ANZ, Targett says he would have made changes, including the Asian strategy.

“ANZ have talked a lot about growth in Asia but they’re trying to grow on a shoestring,” he said.

“I would have either focused on getting only a few countries right or really trying to acquire something of scale.

“I actually think the only way ANZ can succeed in Asia is to acquire something cheaply.”

Targett says that because the internal focus was on earnings growth there were “a lot of short cuts taken” in terms of processes, back office and technology spend.

“I would have had a decent go to try to fix that because you run too much operational risk if you don’t spend adequate investment dollars and constantly try to cut corners and grow your revenue line,” he says.

“However, to say that money needed to be spent on technology and processes and sorting out the back office, can indicate that people before you haven’t done things thoroughly, so I think gaining the right levels of investment to address these problems would have been a hard sell to the board.”

He also says ANZ’s wealth management strategy needs an overhaul when the ING joint venture agreement expires — “unwinding the joint venture with ING and upgrading the Private Bank”.

ANZ ‘ran unacceptable risks’Free Webinar: Tap Into the Hidden Economic Stimulus

The race goes not always to the swift but to those who keep running. You have powers you never dreamed of. You are capable of doing things you never thought possible. There are no limitations on what you can do.

If this doesn’t inspire you to get off your you know what, I don’t know what will. Evelyn Stevens was a typical wall street exec, before getting on a bike one day and discovering she had an incredible hidden talent. This week she is competing in the Tour De France with under a year of formal training under her belt, a feat that is as extraordinary as it is unusual. Read her story, as profiled in the Wall Street Journal and get inspired to think outside your comfort zone and try something, you may not find your way to being an elite athlete, but you may find your hidden talent, and more importantly have some fun!

Successories on Twitter and Facebook

JEAN-PIERRE Mustier, the highflying banker who headed Societe Generale’s investment banking arm when the French bank was rocked by a trading scandal in 2008, is stepping down after being named in an insider-trading investigation.

The inquiry by France’s stockmarket regulator into alleged insider trading by Mr Mustier did not relate to the €4.9 billion ($8.4bn) trading scandal, according to the bank, which gave no further details of the investigation.

Mr Mustier rejected the insider trading allegations, SocGen added. A lawyer for Mr Mustier, Jean Veil, said the “probe has absolutely nothing to do with the (Jerome) Kerviel affair”, referring to the trading scandal.

As part of its insider-trading probe, the French stockmarket watchdog wants to determine whether Mr Mustier knew that the sub-prime mortgage crisis would hit the bank hard when he sold half of the SocGen shares he owned on August 21, 2007, a person familiar with the probe said.

By selling some SocGen shares before the bank disclosed sub-prime related losses, the market watchdog suspects that Mr Mustier may have locked in gains of between €50,000 and €200,000, the person said.

Mr Mustier already had been expected to leave the bank by year’s end. Still, the regulator’s probe marks an unfortunate close to the 22-year career of a man who once was expected to end up with the bank’s top job. The son of a surgeon, Mr Mustier joined SocGen in 1987 and took over the corporate and investment-bank division in 2003.

He led a largely successful push to make SocGen a top player in the cutting edge niche of equity derivatives and certain areas of fixed income.

Last year, however, Mr Mustier became the point man in answering questions about the bank’s shocking twin announcements that were made on January 2008: for €2.05 billion in writedowns on mortgage securities or credit exposure and, more significantly, a €4.9bn trading loss racked up at the hands of trader Jerome Kerviel.

In the wake of the trading scandal, Mr Mustier had offered his resignation, but it had been rejected on the grounds that he needed to help SocGen get back on-track. In subsequent months, the bank had put Mr Mustier in charge of the asset-management and investor-services division.

In its statement yesterday, SocGen also said that Robert Day, a non-executive director, was also under investigation by the French regulator for alleged insider trading, and that he had also rejected the allegations.

The bank said the proceedings against Mustier and Day came in the wake of an investigation, started in 2008, into the bank’s financial information disclosure and the trading of its shares.

“In view of the ongoing (inquiry), Jean-Pierre Mustier has decided, in the interest of the group, to anticipate his departure and has tendered his resignation, which has been accepted,” the bank said in the statement.

As recently as last Wednesday, when SocGen announced second-quarter earnings that were better than expected, Mr Mustier had fielded questions from analysts about the group’s asset management and investor services activities.

The French regulator wasn’t available for comment.

Regulators send a messageFacebook Working to Amp Up Ad Opps

Wie kann man ein komplettes Verzeichnis mit allen darunterliegenden Dateien nach einem bestimmten Textmuster durchsuchen?

Bild Lizenz: Creative Commons Attribution ShareAlike 3.0 ——– Quelle: wikimedia.org

Update 18.9.2009: Kein Artikel auf diesem Blog wird inzwischen so häufig aufgerufen wie dieser. Auch das Skript wird täglich heruntergeladen. Deshalb mache ich mich gerade daran, das Skript weiter zu verbessern. So stay tuned!

Unter Linux macht dies eine Kombination von find und grep möglich. Im folgenden Beispiel soll im kompletten Verzeichnis /etc bis hinunter zur letzten Datei (find /etc -type f) nach dem Begriff “ssid” gesucht werden.  Dabei soll Groß- und Kleinschreibung keine Rolle spielen (grep -i).  Außerdem sollen Fehlermeldungen unterdrückt werden (2>/dev/null). Möglich macht dies folgender Befehl:

find /etc -type f -exec grep -i ssid /dev/null {} \; 2> /dev/null

Schade nur, dass man sich solche Befehlsmonster schwer merken kann. Abhilfe schaftt hier ein kleines Skript, dass ich “findgrep” genannt habe. Das Skript zeigt die Suchergebnisse farbig an und speichert die gefundenen Ergebnisse in einer Textdatei zur späteren Nachbearbeitung.  Und so sieht das Skript im Einsatz aus:

Um das Skript einzusetzen, muss die weiter unten folgende  Datei findgrep.doc einfach in eine reine Textdatei mit dem Namen “findgrep” umgewandelt werden und in einem Verzeichnis abgelegt werden, die in der Variable PATH enthalten ist. Nun noch die Datei ausführbar machen:

sudo chmod +x /pfad/zu/findgrep

Der umständliche Weg über die .doc Datei wird gewählt, da WordPress – wie schon oft gesagt -  das doppelte Minuszeichen (–) bei Befehlsoptionen falsch anzeigt und das Skript ohne manueller Nachbesserung nicht einsatzfähig ist.

Und hier das Skript zum Download:

http://linuxnetz.wordpress.com/files/2009/07/findgrep.doc