Set your RAMTOP to f3b1666d13607242ed061cabb8d46202 or 9223372036854775807

home | blog | Teh Internet | guest blog |rants | political | projects | Gwen and Liam | Citadel patched | Tools | TMBG


- Careful Chrome users, this search box might be "Not secure"


13 December 2017, 15:55 UTCNOC, NOC?

Who's there?
Vasilyev Ivan Ivanovich
AS39523
All your "big" routes are belong to us:
https://bgpmon.net/popular-destinations-rerouted-to-russia/

...
Early this morning (UTC) our systems detected a suspicious event where many prefixes
for high profile destinations were being announced by an unused Russian Autonomous System.

Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook,
Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP
routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.
...

[permalink]


5 December 2017, 15:13 UTCAndroid 8.1 Oreo

Now even more invasive!

[permalink]


15 November 2017, 18:23 UTCTimedRotatingFileHandler - don't be stupid.

So you are using the fine Python TimedRotatingFileHandler,
and you want rotation after a minute.
Make sure your process does not finish in less time than that :-\

[permalink]


14 November 2017, 5:46 UTCSystemd (resolv.conf and dnsmasq)

If you run dnsmasq and are having some trouble with occasional dns drops:
give this a try:

ls -alh /etc/resolv.conf
you should record where that Systemd points to in the future...
mine points to /run/resolvconf/resolv.conf

If you cat that, you find:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search lan

That does not include the lie of 8.8.8.8 and 8.8.4.4, so just remove that link
rm /etc/resolv.conf
b.t.w. that link lives in /etc/systemd/resolved.conf - silly D, tricks are for google...
(what else is going on that is non-apparent in that seemingly PID 1 process?)

And add back in the truth via a simple;
nameserver 127.0.0.1

Of course if you believe in dnssec, you probably believe in not butter...

Not butter constitutional siginatures
https://www.iana.org/reports/2010/root-ksk-2010.pdf
Not sure how they would sign so everybody in the world would agree and trust it...
A keysigining party on that scale would be interesting...

[permalink]


7 November 2017, 14:23 UTCCorporate 'the buck stops here' at CenturyLink / Level3

Key bit here:
"Corrective Actions: ... The individual responsible for this policy change has been identified."



I feel for that worker bee. Sounds like they need a scapegoat for bad process.
Root Cause: A
configuration issue impacted IP services in various markets across the United
States.

Fix Action: The IP NOC reverted a policy change to restore services to a stable
state.

Summary: The IP NOC was informed of a significant client impact which seemed to
originate on the east coast. The IP NOC began investigating, and soon
discovered that the service impact was occurring in various markets across the
United States. The issue was isolated to a policy change that was implemented
to a single router in error while trying to configure an individual customer
BGP. This policy change affected a major public peering session. The IP NOC
reverted the policy change to restore services to a stable state.

Corrective Actions: An extensive post analysis review will be conducted to
evaluate preventative measures and corrective actions that can be implemented
to prevent network impact of this magnitude. The individual responsible for
this policy change has been identified.

This service impact has concluded; if additional issues are experienced, please
contact the CenturyLink Technical Service Center. There may be additional
analysis and discovery that occurs as the incident is reviewed by NOC
management. Any available updates will be relayed upon event ticket closure. At
that time, a customer satisfaction survey link may be available. We strive to
provide thorough communications containing the available information during a
service disruption. Please let us know if the updates you received during this
event were satisfactory.

More light reading:
https://news.ycombinator.com/item?id=15684372
When that link breaks:
https://dyn.com/blog/widespread-impact-caused-by-level-3-bgp-route-leak/
Even more on complex systems and root cause:
https://www.kitchensoap.com/2012/02/10/each-necessary-but-only-jointly-sufficient/

[permalink]


4 November 2017, 6:44 UTCFilesystems, files, and inodes, oh my!

Raymond Hettinger - Glad to have him as a core Python contributer.
- A thinker that has an ability to simplify the complex!

Raymond Hettinger‏ @raymondh

#python insight of the day:  Directories are a namespace and behave like dictionaries where the key is a filename and the value is an inode.

[permalink]


11 October 2017, 16:21 UTCData just wants to be free!

Please, keep putting your data up on S3 storage unsecured people.
The defaults are secure, you are screwing it up....
https://aws.amazon.com/s3/faqs/#security

Q: How secure is my data?

Amazon S3 is secure by default. Only the bucket and object owners originally
have access to Amazon S3 resources they create. Amazon S3 supports user
authentication to control access to data. You can use access control mechanisms
such as bucket policies and Access Control Lists (ACLs) to selectively grant
permissions to users and groups of users. You can securely upload/download
your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you
need extra security you can use the Server Side Encryption (SSE) option or the
Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data
stored-at-rest. Amazon S3 provides the encryption technology for both SSE and
SSE-C. Alternatively you can use your own encryption libraries to encrypt data
before storing it in Amazon S3.

Looks like you have to go a bit out of your way to leave it open like this:
https://aws.amazon.com/articles/5050/
...
It has come to our attention that some customers have changed default permissions
and granted public access to their buckets. Although you can grant public access
to your bucket using ACLs, you must take the following issues into consideration:
...
Bucket public "READ" access: This is sometimes referred to as "list" access.
It allows anyone to get a complete list of your bucket content. 
It does not grant permissions to read content of an object. However,
a list of object names can often provide more information than necessary
to the public
...

You need to go further than read and poke even more holes!

[permalink]


26 September 2017, 19:41 UTCGoogle / Chrome - Breaking the functionality of the web to save users from themselves.

You have a site that is editable from a browser.
You can submit Javascript as a part of a post to the site.



You now can't using Chrome:


Suppose I need to write a web browser now.
Shall I name it pointy sharp things?

[permalink]


18 September 2017, 18:52 UTCOptionsbleed - ask / search for it today :-)

https://nvd.nist.gov/vuln/detail/CVE-2017-9798
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Check for Limit in your Apache .htaccess files for now, and patch.
If you allow users to create .htaccess on shared hosting... patch now. More to follow later...

[permalink]


15 September 2017, 17:07 UTCOld Python 2.7 install on Windows need pip / setuptools help?

Had some trouble with pip installing packages on a Windows install today.
I had a need to use pyad - 'cause screw using Powershell and writing 500 lines of code to do the same thing in what turned out to be 41 lines....
https://pypi.python.org/pypi/pyad
That rant aside, if you find pip or setuptools not working, here is how to kick-start it:

python -m ensurepip
python -m pip install -U pip setuptools

Then give your installer another go (should be installed and upgraded).
Global install if you dare:
python setup.py install

[permalink]



24 July 2017, 17:45 UTCGoogle - how about "no".
20 June 2017, 18:49 UTCSo, in 2017, Grub2 still can't boot md raid 1.2 with on lvm top of it?
6 June 2017, 20:14 UTCWhere does that module live in the Python install?
31 May 2017, 18:38 UTCWindows 10 - Updates stopped and error: 0x8024401c?
30 May 2017, 13:34 UTCGoogle, where is your head? Not Secure. Is that the best wording you could come up with?
30 May 2017, 4:48 UTCO.K. Google, where are you getting your TZ data?
26 May 2017, 20:45 UTCBye
19 April 2017, 14:48 UTCSegfault error codes:
12 April 2017, 14:34 UTCTruly international experiences today.
5 April 2017, 16:54 UTCDocumentation is the only defense against tribal knowledge.
21 March 2017, 13:07 UTCHow not to serve a web page:
8 March 2017, 16:07 UTCDeployStudio - Inappropriate repository error
3 March 2017, 15:21 UTCGmail - get your smtp replies fixed - 4.7.0 is not a rejection.
10 February 2017, 19:28 UTCCheck your mail servers cert using a tls connection:
1 November 2016, 3:37 UTCWeb programming and n-tier programming:
11 October 2016, 19:09 UTCGood old telnet
7 October 2016, 19:29 UTCCold beer and pretzels, takes care of cancer.
24 September 2016, 6:09 UTCSolve peoples problems with technology or perish.
9 September 2016, 4:43 UTCFabric fun.
10 August 2016, 3:38 UTCE: Problem with MergeList?

All older entries




[atom feed]  
[æ]