JSR $FFD2 C600G IEFBR14 1195725856 1213486160 542393671 1347703880

home | blog | Teh Internet | guest blog |rants | political | projects | Gwen and Liam | Citadel patched | Tools | Scouts


- Careful Chrome users, this search box might be "Not secure"


29 January 2018, 14:32 UTCThe most current Microsoft advice on configuration documentation:

Please ignore that documentation for now: it will be changed to reflect the reality of the scenario.

[permalink]


25 January 2018, 17:10 UTCApple calls it (mostly) quits on the Server App...

Looks like the writing is on the wall for Apple Server.
Dumping many services, and suggesting replacements.
https://support.apple.com/en-us/HT208312
As always, here is a cut and paste of some of the details in case it goes away.


Prepare for changes to macOS Server

Learn about changes coming to macOS Server in spring 2018

macOS Server is changing to focus more on management of computers, devices,
and storage on your network. As a result, some changes are coming in how Server works.
A number of services will be deprecated, and will be hidden on new installations of an
update to macOS Server coming in spring 2018. If you've already configured one of these
services, you'll still be able to use it in the spring 2018 macOS Server update.

These deprecated services will be removed in a future release of macOS Server,
so those depending on them should consider alternatives, including hosted services.
Deprecated services are listed below. Links to potential replacements are provided
underneath each deprecated service.

Calendar
    Calendar and Contacts Server
    DavMail
    Radicale

Contacts
    Calendar and Contacts Server
    DavMail
    Citadel

DHCP
    Kea
    Dnsmasq
    FreeRADIUS

DNS
    BIND
    Unbound
    KnotDNS

Mail
    KerioConnect
    dovecot/Postfix
    Courier

Messages
    ejabberd
    Openfire
    Prosody

NetInstall
    NetSUS
    BSDPy

VPN
    OpenVPN
    SoftEther VPN
    Tcpcrypt

Websites
    Apache HTTP Server
    Nginx
    Lighttpd

Wiki
    MediaWiki
    PmWiki
    XWiki

[permalink]


20 January 2018, 4:00 UTCI wonder...

If kids today save the downloaded QR coded file that has their concert ticket, the same way we saved the old paper ones.

[permalink]


3 January 2018, 21:32 UTCNobody ever got fired for going with Intel/AMD/ARM (ha). - (Meltdown / Spectre)

Some workloads just took a hit on many Intel processors made in the last 10 years.



- stop the presses - looks like Intel might patch 90% of the processors less than 5 years old:
Guess that would not be most folks anyway.
https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/

https://www.thomas-krenn.com/en/wiki/Safety_instructions_for_Meltdown_and_Spectre
https://git.kernel.org/pub/scm/linux/kernel/git/daveh/x86-kaiser.git/tree/Documentation/x86/kaiser.txt?h=kaiser-dynamic-414rc6-20171101
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-Test
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.qemu.org/2018/01/04/spectre/
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

TLDR: Looks like kernel memory can probably be read by user space without a patch in kernel code.
Problem is, you pay a penalty for the patch in performance for some workloads.
Meltdown - side channel timing attack to learn kernel memory space secrets.
Spectre - predictive out of order CPU execution to work around slow memory fetches by malicious code to use timing differences from sequential and out-of-order executions - attacks memory from victim process.

Forcefully Unmap Complete Kernel With Interrupt Trampolines
i.e. FUCKWIT

Might want to enable some protection in your browsers:
Chrome:
chrome://flags/#enable-site-per-process
http://www.chromium.org/Home/chromium-security/site-isolation
https://www.chromium.org/Home/chromium-security/ssca
Firefox:
about:config?filter=privacy.firstparty.isolate

Light reading before you consider any of this below this line:
https://technet.microsoft.com/en-us/library/bb694007.aspx
Here is some code to check for the Windows - won't update without the new reg key:
import _winreg
import sys

# replace None with \computer-name for remote...
rem_reg = _winreg.ConnectRegistry(None, _winreg.HKEY_LOCAL_MACHINE)
try:
  # change _winreg.KEY_WOW64_64KEY with _winreg.KEY_WOW64_32KEY for 32 bit systems...
  akey = _winreg.OpenKey(rem_reg, r'SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat', 0, _winreg.KEY_READ | _winreg.KEY_WOW64_64KEY)
except WindowsError:
	print "Key not found or is WIN32"
	sys.exit(128)

for i in range(0,_winreg.QueryInfoKey(akey)[1]):
		n, v, t = _winreg.EnumValue(akey, i)
		print i, n, v, t

Here is the same above as an exe:
Checker for 64 bit Windows -
reg key to add if not added by your non-existent Anti Virus software :-)

[permalink]


13 December 2017, 15:55 UTCNOC, NOC?

Who's there?
Vasilyev Ivan Ivanovich
AS39523
All your "big" routes are belong to us:
https://bgpmon.net/popular-destinations-rerouted-to-russia/

...
Early this morning (UTC) our systems detected a suspicious event where many prefixes
for high profile destinations were being announced by an unused Russian Autonomous System.

Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook,
Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP
routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.
...

[permalink]


5 December 2017, 15:13 UTCAndroid 8.1 Oreo

Now even more invasive!

[permalink]


15 November 2017, 18:23 UTCTimedRotatingFileHandler - don't be stupid.

So you are using the fine Python TimedRotatingFileHandler,
and you want rotation after a minute.
Make sure your process does not finish in less time than that :-\

[permalink]


14 November 2017, 5:46 UTCSystemd (resolv.conf and dnsmasq)

If you run dnsmasq and are having some trouble with occasional dns drops:
give this a try:

ls -alh /etc/resolv.conf
you should record where that Systemd points to in the future...
mine points to /run/resolvconf/resolv.conf

If you cat that, you find:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search lan

That does not include the lie of 8.8.8.8 and 8.8.4.4, so just remove that link
rm /etc/resolv.conf
b.t.w. that link lives in /etc/systemd/resolved.conf - silly D, tricks are for google...
(what else is going on that is non-apparent in that seemingly PID 1 process?)

And add back in the truth via a simple;
nameserver 127.0.0.1

Of course if you believe in dnssec, you probably believe in not butter...

Not butter constitutional siginatures
https://www.iana.org/reports/2010/root-ksk-2010.pdf
Not sure how they would sign so everybody in the world would agree and trust it...
A keysigining party on that scale would be interesting...

[permalink]


7 November 2017, 14:23 UTCCorporate 'the buck stops here' at CenturyLink / Level3

Key bit here:
"Corrective Actions: ... The individual responsible for this policy change has been identified."



I feel for that worker bee. Sounds like they need a scapegoat for bad process.
Root Cause: A
configuration issue impacted IP services in various markets across the United
States.

Fix Action: The IP NOC reverted a policy change to restore services to a stable
state.

Summary: The IP NOC was informed of a significant client impact which seemed to
originate on the east coast. The IP NOC began investigating, and soon
discovered that the service impact was occurring in various markets across the
United States. The issue was isolated to a policy change that was implemented
to a single router in error while trying to configure an individual customer
BGP. This policy change affected a major public peering session. The IP NOC
reverted the policy change to restore services to a stable state.

Corrective Actions: An extensive post analysis review will be conducted to
evaluate preventative measures and corrective actions that can be implemented
to prevent network impact of this magnitude. The individual responsible for
this policy change has been identified.

This service impact has concluded; if additional issues are experienced, please
contact the CenturyLink Technical Service Center. There may be additional
analysis and discovery that occurs as the incident is reviewed by NOC
management. Any available updates will be relayed upon event ticket closure. At
that time, a customer satisfaction survey link may be available. We strive to
provide thorough communications containing the available information during a
service disruption. Please let us know if the updates you received during this
event were satisfactory.

More light reading:
https://news.ycombinator.com/item?id=15684372
When that link breaks:
https://dyn.com/blog/widespread-impact-caused-by-level-3-bgp-route-leak/
Even more on complex systems and root cause:
https://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-sufficient/

[permalink]


4 November 2017, 6:44 UTCFilesystems, files, and inodes, oh my!

Raymond Hettinger - Glad to have him as a core Python contributer.
- A thinker that has an ability to simplify the complex!

Raymond Hettinger‏ @raymondh

#python insight of the day:  Directories are a namespace and behave like dictionaries where the key is a filename and the value is an inode.

[permalink]



11 October 2017, 16:21 UTCData just wants to be free!
26 September 2017, 19:41 UTCGoogle / Chrome - Breaking the functionality of the web to save users from themselves.
18 September 2017, 18:52 UTCOptionsbleed - ask / search for it today :-)
15 September 2017, 17:07 UTCOld Python 2.7 install on Windows need pip / setuptools help?
24 July 2017, 17:45 UTCGoogle - how about "no".
20 June 2017, 18:49 UTCSo, in 2017, Grub2 still can't boot md raid 1.2 with on lvm top of it?
6 June 2017, 20:14 UTCWhere does that module live in the Python install?
31 May 2017, 18:38 UTCWindows 10 - Updates stopped and error: 0x8024401c?
30 May 2017, 13:34 UTCGoogle, where is your head? Not Secure. Is that the best wording you could come up with?
30 May 2017, 4:48 UTCO.K. Google, where are you getting your TZ data?
26 May 2017, 20:45 UTCBye
19 April 2017, 14:48 UTCSegfault error codes:
12 April 2017, 14:34 UTCTruly international experiences today.
5 April 2017, 16:54 UTCDocumentation is the only defense against tribal knowledge.
21 March 2017, 13:07 UTCHow not to serve a web page:
8 March 2017, 16:07 UTCDeployStudio - Inappropriate repository error
3 March 2017, 15:21 UTCGmail - get your smtp replies fixed - 4.7.0 is not a rejection.
10 February 2017, 19:28 UTCCheck your mail servers cert using a tls connection:
1 November 2016, 3:37 UTCWeb programming and n-tier programming:
11 October 2016, 19:09 UTCGood old telnet

All older entries




[atom feed]  
[æ]