jschauma

jschauma, 11 months ago to random

Let's get naked!

A 🧵 on #DNS centralization in naked domains across gTLDs and a few select ccTLDs:

jschauma, 1 year ago to random

Remember the X.509 PKI? You know, the one that gave us

• "Oh wait, certificate revocation is basically all broken"
• The One Where That Dutch CA Issued A Fraudulent *.google.com Cert

and my all-time favorite:

• Honest Ahmed's Used Cars and Certificates
  https://bugzilla.mozilla.org/show_bug.cgi?id=647959

jschauma, 1 month ago to markdown

#markdown

jschauma, 6 months ago to random

Hey, so #RFC9460 HTTPS/SVCB records are neat, right?

They...

• speed up your time-to-first-packet (by basically stuffing the Alt-Svc HTTP header / ALPN TLS extension into the #DNS);
• let you do redirection on the zone apex without using CNAMEs;
• allow for simple DNS load distribution and failover;
• obviate HSTS and the cumbersone preloading process;
• enable stronger privacy protections via Encrypted Client Hello aka #ECH

jschauma, 1 month ago to random

Every so often, I need to chase down some aspect of email validation (#SPF, #DMKIM, #DMARC, ...). This involves a number of #DNS records and queries, but I may forget just which ones. So here's a quick #SMTP/DNS cheatsheet:

jschauma, 11 months ago to random

I have:
Simple timeline data in the format "YYYMMDD number".

I want:
A decent looking timeline graph. (Interactive mouse-over showing data point details would be nice, but not a hard requirement.)

I don't have:
A PhD in JavaScript, knowledge of R.

I don't want:
Learn a new language, a million dependencies, docker, cloud service.

What are my options? gnuplot for timeline chart seems straight forward. What else? Python matplotlib?

jschauma, 4 months ago to sysadmin

Hey Fediverse! The Spring semester is about to start, and I'll be teaching System Administration again:

https://stevens.netmeister.org/615/

Topics covered include: basic operating system & filesystem concepts, software installation & package management, config management, automation, tools development, TCP/IP networking, common services, system security.

All lectures are online as free videos; if you'd like to follow along, here's the playlist for Week 1:

https://www.youtube.com/playlist?list=PLDadzdouM0VCV7tjurqM8FHY6APK9wvJl

#SysAdmin #SRE #DevOps

jschauma, 6 months ago to random

Because I've been using it quite a bit lately and think it might be useful for some of you, here's a list of #HTTP status codes and descriptions in man page format:

https://github.com/jschauma/httpstatus

#rtfm

jschauma, 10 months ago to random

Reminder that if you write Go cli tools and want to accept passwords from the user, I have a neat little module for you:

https://github.com/jschauma/getpass

It supports getting a password from:

• a command (cmd:command)
• an environment variable (env:var)
• a file (file:path)
• the macOS keychain (keychain:name)
• LastPass (lpass:name)
• 1Password (op:name)
• the command-line if you absolutely must (pass:password)
• the controllying tty (tty[:prompt])

jschauma, 8 months ago to random

The cool thing about "Every App is actually just a browser, and we're all using Chromium" is that now critical, actively exploited vulnerabilities like that WebP CVE-2023-4863 applies to dozens of software components that your inventory doesn't know are effected.

Dat monoculture once more... 😗

jschauma, 5 months ago to random

Thinking of starting a new consulting business, called "That's Fucked Up As A Service".

I sit there and you explain your legacy system to me, and all I do is say "That's fucked up." If you agree, you get a discount. If you try to justify the brokenness, you have to pay double.

jschauma, 1 year ago to random

Over the last few year, I noticed an increased trend amongst my students: they simply don't ask for help any longer, willing to remain stuck on a problem to the point of missing submission deadlines or forfeiting points.

This is in addition to dramatically increased passivity (fewer follow-up questions, less participation in class) and greater needs for step-by-step guidance.

jschauma, 7 months ago to random

Not really a hot-take but: open source projects moving public discussions from project run mailing lists or chats to commercial (albeit "free") platforms is inevitably and eventually going to backfire and we'll all lose important knowledge and content either completely or behind login-, ad-, or paywalls.

jschauma, 10 months ago to random

On May 3rd, 2023, Google opened up the .mov and .zip TLDs for public registration. This has made a lot of people very angry and been widely regarded as a bad move.

But what interested me more than the predictable names themselves was the rate of new registration (about 20K in the first month for .zip vs around 3.5K for .mov), which then got me thinking about domain name registration numbers across all TLDS.

jschauma, 4 months ago to random

Ok, so if we assume we need >4K qubits to factor 2048 RSA using Shor's algorithm, then the current development timeline* puts "Q-Day" well within reach by 2025, I'd guess. That's... soon.

*https://en.wikipedia.org/wiki/Timeline_of_quantum_computing_and_communication

jschauma, 8 months ago to random

I've previously[1] talked about how stupid #WHOIS is, and while #RDAP is an improvement, it's still really just a bunch of information bits based on (regional) convention.

A human can usually quickly identify e.g., the owning legal entity from inspection of of the data, but good luck doing that programmatically. It's infuriating.

[1] https://www.netmeister.org/blog/whois.html

jschauma, 12 days ago to random

Wikipedia ain't asleep.

jschauma, 7 months ago to random

Ken Thompson's original Unix backdoor of "Reflections on Trusting Trust" fame was apparently never published. 40 years (!) later, here it is: 99 lines of code plus a 20-line shell script. That's it.

Nicely annotated and explained by Russ Cox:

https://research.swtch.com/nih

jschauma, 1 year ago to random

The "Singing Stone" is a block of blue azurite and green malachite, on display at the American Museum of Natural History in New York City. The block weighs about 3.300 kg and contains about 1.500 kg of copper. It was originally collected in 1891 in Brisbee, Arizona, and first exhibited at the 1893 World’s Fair in Chicago. The name derives from the sounds emanating from the stone during changes in humidity.

jschauma, 7 months ago to random

Holy shit grep is slow.

zcat file.xz | time perl -ne 'print if / none /' | wc -l
74368
0.09s real 0.04s user 0.01s system

zcat file.xz | time sed -n -e '/ none /p' | wc -l
74368
0.13s real 0.08s user 0.00s system

zcat file.xz | time awk '/ none / { print }' | wc -l
74368
0.10s real 0.05s user 0.01s system

zcat file.xz | time grep ' none ' | wc -l
74368
57.98s real 22.68s user 0.01s system

jschauma, 8 months ago to random

Verify you are human.

jschauma, 8 months ago to ai

OMG, the "can you melt an egg" answer is back, this time citing the article that explains how Google was taking the wrong answer. #ai #fail

jschauma, 3 months ago to random

Apple goes post-quantum crypto for iMessage, using their new "PQ3" protocol (ML-KEM / Kyber + ECDH for key exchange with periodic (PQC) rekeying:

https://security.apple.com/blog/imessage-pq3/

They also had outside experts do analyses of their new protocol:

https://security.apple.com/assets/files/Security_analysis_of_the_iMessage_PQ3_protocol_Stebila.pdf
https://security.apple.com/assets/files/A_Formal_Analysis_of_the_iMessage_PQ3_Messaging_Protocol_Basin_et_al.pdf

#cryptography #postquantum #pqc

jschauma, 2 months ago to random

For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the #xz #backdoor actually validates this claim.

We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).

jschauma, 9 months ago to random

Happy OpenSSL 1.1.1 EOL Day to all who celebrate! 🎉

Congrats on having upgraded everything in time, because you knew exactly what software is used everywhere in your network and you have full control over all components and depdencies!

Good thing, too - would be pretty uncomfortable otherwise, running unsupported software that won't get security updates going forward.