Centroid.EU Blog
(this blog is mostly encrypted - adults only)
|
Previous Page
January 11th, 2019
I finally had the code right, but one KSK rollover was botched. This
was due to the wrong instructions of RFC 6781 section 4.1.2. I should
have looked in the Errata section of this RFC. The result due to the
botched effort of rolling the KSK of the zone dtschland.eu is that if
you got the DS key of this from the eu. nameservers it will not be
validated because the old DNSKEY was rolled out in the dtschland.eu. zone.
The rollover should keep the old rolled out key around for 86400 seconds,
as is being done for the freifunk-schweinfurt.de zone. Here is the listing
of dnskey's of that zone:
beta$ dig @omega.virgostar.net dnskey freifunk-schweinfurt.de +dnssec |\
grep RRSIG | awk '{print $11}' <
40824
59532
56933
These are the key pid's that are currently active. After tomorrow 18:00, the
59532 key can be safely removed.
I'm going to be working on all my DNSSEC'ed zones to roll ZSK and KSK over the
next few weeks. I have services on some domain names so this process must
work. I must work out any kinks before I do any such changes. Someone told
me that RFC 7583 is important to read. Also I have written up the process
for rolling a KSK with delphinusdnsd here in the delphinusdns.org's handbook.
0 comments
More XSS vulns
January 11th, 2019
I have been informed that there is more XSS vulns on my blog. This one was
not as easy to solve as the last time I fixed XSS vulns. I had to actually
write a bit of code. I noticed with this "double-sanitizing" that html code
injections were possible through the search system not just XSS.
I have an open source blog this means you can see the changes. Here is
the code history with comments. Enjoy, and sorry if you were
vulnerable to an XSS attack.
0 comments
The endless debate around Computer-System security
January 6th, 2019
Recently in conversation it dawned on me that we're really stuck in a lake full
of shit, and our boat is sinking. Let me explain. Person I talked to said
that to drive a car he doesn't have to know about how the car functions in
detail, he gets on the wheel and drives. A computer should be the same, you
don't care about anti-virus, or security knowledge, you just get on and surf.
He expects the government to do something in regards to the security. I don't
share that viewpoint because the government would be invasively monitoring us
all for the sake of security. It adds up to surveillance.
Similarily in infrastructure, we mentioned that powerplants should not be on
the Internet. But in todays world powerplants have to be turned on and off
depending on demand, and this needs to be signaled. So then I said why can't
powerplants be on their own "internet" (small i) but not on the big Internet
(big I). This is a costly solution, but also a safe solution. Because when
the power is off because of hackers we wish it were so. Again the argument was
that government should protect these companies and they should not care a damn
about security themselves. Reality is they have an IT department that is
supposed to take care of these, they are powerplants and have lots of money.
The BSI (Bundesamt fuer Sicherheit am Internet?) can only do certification
programmes and guidelines, anything beyond that is again intrusive to everyones
privacy and would be monitored en-masse. Should the BSI have the control that
the BND in the Frankfurt IX currently enjoys? With firewalls all along the
way managed by them (perhaps with help of an artificial intelligence)? I say
no. We must keep this centralized component out of our Internet. Everyone
has a responsibility to have an IT contact who gets paid full time to look over
networks. It's the decentralized approach and is supposed to minimize mass
surveillance. What do you think? Why don't you discuss this with your peers?
We talked about a "family IT person" who looks after the families computers,
is this good or bad? Everyone wants to squeeze money but security forces us
to squeeze more than our wallets, we actually have to think to defend ourselves
_and_ make decisions. We should not let the government do these decisions for
us! Government is a control-freak and will make it the worst-case scenario for
us all.
0 comments
Ambitious goal: have KSK's rotated by first week in February
January 5th, 2019
I have reviewed my code in dddctl.c of delphinusdnsd and determined for it
to be mostly good. Next week I'll start coding on this again. I want to
rotate my KSK keys of my DNSSEC zones by first week in February. I'm very
so much looking forward to this day as it means that it's an important
step in delphinusdnsd's development. Basically one could make keys back in
2015 but by now they are 4 years old and weakened by time. When I have done
this work, I can look further toward other TODO's that I had planned.
Other things that the project needs is a clean-up of the website. The
handbook is somewhat outdatedly using dd-convert.c still. This needs to
be updated to use dddctl.c. It will be easy though.
0 comments
New redundant setup
January 4th, 2019
As you know my switch is very loud. Until I can fix it I have set up a
redundant setup here at home, using trunk(4) and OSPF (ospfd). I'm gonna
try to cover the configs here.
The hallway router's OSPF config looks like this:
router-id 0.0.0.2
redistribute default
redistribute 0.0.0.0/0
area 0.0.0.0 {
interface trunk0 {
auth-type simple
auth-key $password
}
interface gif0 {
metric 100
auth-type simple
auth-key $password
}
}
The Office's OSPF setup looks like this:
router-id 0.0.0.3
fib-update yes
redistribute 192.168.35.0/24
redistribute 192.168.2.0/24
redistribute 192.168.177.3
area 0.0.0.0 {
interface ix1 {
auth-type simple
auth-key $password
}
interface gif0 {
metric 100
router-priority 5
auth-type simple
auth-key $password
}
}
This causes gif0 to go on when ix1 (switch) is not available, and reverts back
to switch when it turns on. I have a timer on the switch, at a 12 hour Hz.
Lastly the living room is not served with OSPF. It is just a trunk interface
and looks like this:
uranus$ more /etc/hostname.trunk0
trunkport em0
trunkport em5
trunkproto failover
inet 192.168.177.40 255.255.255.0 192.168.177.255
inet6 autoconf
up
Trunk notices the link going from active to inactive and does a failover from
trunkport em0 to trunkport em5 (which is connected directly to the router).
It all seems to work out. There is a caveat. When ssh'ed from office to the
Internet and OSPF returns back to the switch in the morning, the session
expires because it came from the wifi's interface endpoint. Also when it's
evening and the switch turns off, one has to clear the ARP cache in the office,
because it still thinks 192.168.177.3 (my dns server) is on the local link.
Once it is cleared it routes via wifi.
0 comments
Donated 15 EUR to F3Netze
January 3rd, 2019
I have donated to the offspring from Freifunk Franken. I don't use Freifunk
anymore personally but I think it's a great concept, within reason. I left
Freifunk because I did not have enough time at the time, and I still don't
have enough time :-).
0 comments
My switch at home is too loud
January 1st, 2019
The 10 GbE switch is too loud. I'm going to work today to set a timer on it
so that it turns off at 8PM and turns on at 8AM. Also I'm going to set up
a wireless alternative path from office to Internet (and from living room to
Internet). This requires trunk(4) and bridge(4) modifications in OpenBSD.
In theory it should work, but we'll see about that really.
0 comments
My self-education schedule for 2019
January 1st, 2019
I'm learning Microsoft Windows (Server and Active Directory). My schedule
looks like this:
Saturday->Monday family + reading books
Tuesday + Thursday Windows Administration (34 days or 272 hours)
Wednesday + Friday Delphinusdnsd + Windows Programming (34 days or 272h)
Start: January 7th, 2019
Duration: 17 weeks
End: May 3rd, 2019
I'm going to have a very ghetto basics course that I'm developing as I go. I'm
using literature to guide me. Also I'm looking at jobs on the side, but I'm
not going to apply for a Windows job until May 3rd as I'd really like to learn
more about this system first. If a good UNIX job comes along I'll apply to it
likely before May 3rd. I'm very excited about this all and I'm glad I have the
opportunity to do this. Here is a list of books I purchased last year that I
will receive today.
Mastering Active Directory - Francis, Dishan
Gruppenrichtlinien in Windows Server und Windows 10 - Holger Voges et al.
Windows Server 2019: Praxiseinstieg - Joerg Schieb
I'm sure I'll find valuable things in these books. I'm also going to start
another course in June if no job found by then, it'll likely run until October.
In it I believe I want to learn reverse engineering tools in Windows. Not sure
if I'll get there yet. Like said I'm very excited.
0 comments
2019, Something great is about to happen...
January 1st, 2019
I'm sitting on 1000 EUR of donation money for OpenBSD. I will begin paying out
half of that shortly. By end of May I should have paid the full amount minus
the small donation I gave to Gilles Chehade of OpenSMTPD in late 2018 (unless
something unexpected happens and I have to use it for something else). Either
way it all makes it into the OpenBSD eco-system. I'm very proud of this and
I'm making sure that my investments in Microsoft will never surpass the invest
ment for OpenBSD.
0 comments
Happy New Year 2019
December 31st, 2018
As I write this the earth already rolled into 2019. Currently the east coast
of Australia is celebrating new years. It will be new years here in about
10 hours. I'm likely going to have a quiet new years. I'm at my parents but
going to bed at 8PM or so. Whether I'll get woken at midnight will depend
on other people whether they decide to have fireworks this year or not.
So happy new year 2019. One year away from 2020! May peace be unto thee.
0 comments
Next Page
|
Search
RSS Feed
Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
March, 2023
February, 2023
January, 2023
December, 2022
November, 2022
October, 2022
September, 2022
August, 2022
July, 2022
June, 2022
May, 2022
April, 2022
March, 2022
February, 2022
January, 2022
December, 2021
November, 2021
October, 2021
September, 2021
March, 2021
February, 2021
January, 2021
December, 2020
November, 2020
October, 2020
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
August, 2019
July, 2019
June, 2019
May, 2019
April, 2019
March, 2019
February, 2019
January, 2019
December, 2018
November, 2018
October, 2018
September, 2018
August, 2018
July, 2018
June, 2018
May, 2018
April, 2018
March, 2018
February, 2018
January, 2018
December, 2017
November, 2017
October, 2017
September, 2017
August, 2017
July, 2017
June, 2017
May, 2017
April, 2017
March, 2017
February, 2017
January, 2017
December, 2016
November, 2016
October, 2016
September, 2016
August, 2016
July, 2016
June, 2016
May, 2016
April, 2016
March, 2016
February, 2016
January, 2016
December, 2015
November, 2015
October, 2015
September, 2015
August, 2015
July, 2015
June, 2015
May, 2015
April, 2015
March, 2015
February, 2015
January, 2015
December, 2014
November, 2014
October, 2014
September, 2014
August, 2014
July, 2014
June, 2014
May, 2014
April, 2014
March, 2014
February, 2014
January, 2014
December, 2013
November, 2013
October, 2013
September, 2013
August, 2013
July, 2013
June, 2013
May, 2013
April, 2013
March, 2013
February, 2013
January, 2013
December, 2012
November, 2012
October, 2012
September, 2012
August, 2012
July, 2012
June, 2012
May, 2012
April, 2012
March, 2012
February, 2012
January, 2012
December, 2011
November, 2011
October, 2011
September, 2011
August, 2011
July, 2011
June, 2011
May, 2011
April, 2011
March, 2011
February, 2011
January, 2011
December, 2010
November, 2010
October, 2010
September, 2010
August, 2010
July, 2010
June, 2010
May, 2010
April, 2010
March, 2010
February, 2010
January, 2010
December, 2009
November, 2009
October, 2009
September, 2009
August, 2009
July, 2009
June, 2009
May, 2009
Powered by BCHS
|