Posts by Justin Pasher

Re: How does that work?

Root CA certificates have a much longer expiration date. They are also kept much more secure (i.e. they only directly sign intermediate certificates and (should) be kept offline or in secure hardware so they are much harder to compromise).

The idea is that the TLS libraries used by software (e.g. web browser, curl, wget, etc) to interact with a TLS endpoint includes long lived Root CA certificates in its trust store. Because it is much harder to update the trust store for all of the installations everywhere if there is a compromise, an Intermediate CA certificate is used to actually sign the final certificate. That Intermediate CA certificate has a shorter expiration (ten years is on the higher side, and twenty years is actually insane). If the Intermediate CA certificate gets compromised, it can be revoked much easier, as it's not typically part of a TLS library's trust store. The TLS library only trusts the Intermediate CA certificate because it's signed by a Root CA certificate, which it directly trusts.

This is where the concept of a "certificate chain" is used. If we take a web server as an example, it will typically provide the site certificate and any intermediate certificates used to trace it back to the Root CA certificate. The browser will look at each certificate in the chain, and if the final one is signed by a certificate it trusts, it considers the site certificate trusted. If an intermediate certificate is compromised (which is very rare), it can be revoked. The device is supposed to use the CRL to verify whether a certificate is revoked. How well this works in practice, I'm not sure.

The big takeaway is that certificates must have some sort of expiration. The regular certificates are short lived (anywhere from three months to one year nowadays) because they're easy to replace. The Intermediate CA certificates are trusted longer (but not so long that a compromise would let a vulnerability linger for a long time). The Root CA certificate is trusted even longer (because it would involve updating millions or even billions of devices). Because of its importance, the Root CA certificate is very heavily protected. If that is ever compromised, you will probably not be a CA anymore.

For the everyday end user, traceroute is a great way to find out where latency gets introduced.

Are you noticing a slowdown in a service and suddenly getting 100+ ms pings to the server? Is it your ISP? The hand off between your ISP and the next backbone? The target server? If you observe where the ping times jump (assuming the hops respond to ping), you can use this to narrow down the source.

Like some others said, you can also use it to see if traffic is going out the correct connection (e.g. VPN).

Re: Um, what ?

Money. It's always about the money.

Entrust wanted to put the satisfaction of their customers over compliance with the standards. If they made a customer mad by following the standards and revoking certificates properly, the customer would answer by taking their money elsewhere (eventually). You can head over to the CA Compliance section in Bugzilla[1] and read about all the gory details (warning: there is a LOT to read on the Entrust filings). Their biggest (and repeated) problem was not revoking faulty certificates in the prescribed time (24h/5d). They were always trying to compromise with their customers because the customers said they couldn't get certificates replaced in that short of time. Some of them literally took months. Imagine how these customers would respond if their was a private key breach (I wonder if they did the responsible thing during the Heartbleed vulnerability and got everything reissued). They even had a report back in 2020 with the exact same problems and stated the exact same things they are now stating they would do to fix it.

There's only so long you can keep saying "we'll do better" without tangible results.

[1] https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Program&component=CA%20Certificate%20Compliance&bug_status=__open__

Enforcing DMARC

Absolutely. AOL/Yahoo[1] and Google[2] both made announcements about stricter DMARC validation, which requires either SPF or DKIM alignment. SPF alignment can be tricky if you don't have control over the envelope sender (the "internal" address usually used for bounce backs). DKIM alignment requires the signing domain to match the From header. The article itself mentions that someone fixed their problem by setting up proper DKIM signing. It's very unlikely to be IP address based, even though there are miscreants that use Microsoft email services.

All that being said, Yahoo has always been a joke for email deliverability. Their solution to reducing spam is basically "accept fewer emails." If you are a bulk sender (and sometimes not), they will randomly start throttling you and return a generic "deferred due to user complains" message, which is completely bogus. Anyone that has a Yahoo email address should not expect reliable email delivery.

[1] https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam

[2] https://blog.google/products/gmail/gmail-security-authentication-spam-protection/

Re: WSA or ASW?

It's a little awkward reading altogether, but it makes more sense to read it like

Windows "Subsystem for Android"

as opposed to

"Windows Subsystem" for Android

As others have pointed out, they did the same for Windows "Subsystem for Linux"

Re: Devuan

"Having looked at many of these shell scripts, one thing I would never describe them as is "simple". A systemd unit file, OTOH, is something I worked out how to do simply by looking at one at changing 2 lines."

I've been dealing with programming for over 25 years, so I will give it to you that "simple" is a very subjective term. By simple, I'm referring more to the idea that I can add a few echo statements or run the script in debug mode to trace what's going on. systemd is a black box. It will fail to start processes, yet report that everything is fine. You are then stuck trying to trace what's happening on your own. To use your engine analogy, it can be like trying to diagnose a modern engine that's giving error codes without an OBD reader.

"So you're taking a system, trying to remove certain parts of it and replace them with other parts under a different system, and then complaining it's complicated?"

My big rub with systemd is the NIH syndrome it suffers from. Tools already exist for a lot of functionality that systemd just tries to duplicate. Sometimes it (thinks it) adds a few useful things, but other times there's no reason for it to exist. Many of these tools are supposed to be optional (i.e. "extra"), so removing them should not affect any functionality. That's why I don't equate it to making the system more complicated. However, systemd often blurs the line between modular and dependent components.

"As someone who tries not to look at the engine unless it stops working..."

Based on that, I'm assuming you are more of a desktop user. In general, I wouldn't say Debian is geared toward desktop users, although I used it in a desktop setting. It's shines more n server environments, and people that run servers typically do look a lot more at the engine.

Re: Debian ships sysv init, it's not enabled by default

While I haven't had a chance to look at Bullseye yet, given that it just came out, I assume that the normal Debian installer still doesn't give a choice of the initial init system and forces systemd. However, since they are now saying they have better support for sysvinit (yay!), I imagine the same steps I've been following since Jessie will apply.

After initial boot:

apt-get install sysvinit-core

reboot

apt-get purge systemd

Create /etc/apt/preferences.d/systemd-blacklist to keep systemd init away:

Package: systemd-sysv

Pin: release o=Debian

Pin-Priority: -1

Re: Wrong lightbulbs...

I've had the opposite experience with LEDs.

The two big ideas behind LEDs are that they use less energy and they last longer, so less waste. The energy savings is hard to refute, as they definitely use much less than traditional incandescents (not taking into consideration any manufacturing differences that might require different levels of "energy" to produce them). The lifespan thing... well... I hope you don't have fader switches. For non-fader switches, they seem to have very few problems. However, you put them on a fader, and it seems to dramatically shorten their lifespan.

By my estimate, over the past 3-4 years, we've had at least 5-6 LED bulbs die that are on faders. They don't completely die like traditional bulbs. They start having flickering issues and sometimes will randomly cut off then back on. If you're smart enough, you keep the original box and receipt, and the manufacturer will usually replace them without problems (they typically come with a five year warranty).

The biggest problem with the push to more efficient bulbs was that it was so aggressive. Halogen weren't really any better (and often times a shorter life span), CFLs just plain suck, and LEDs have had a lot of teething issues. Technology STILL hasn't caught up to it (as exhibited by my experience). I remember the earlier days of LEDs where they wouldn't work at ALL on a fader. As they progressed, you then had issues where only certain faders were "compatible" (I think an analog vs digital thing). So in addition to getting new bulbs (which were closer to $7-$10 each at the time), you also needed to replace all of your fader switches.

"You can't really support two competing sewage treatment plants because how are you going to route the waste to the one you choose without a whole separate network of pipes? Likewise with water, electricity, or gas."

In Texas, they deregulated electricity almost 20 years ago. It caused a bunch of competing "providers" to fight each other to give the best rates. The electricity itself is provided by the local TDU (Transmission and Delivery Utility), which is kind of like the government. They charge a very stable base rate, and the providers will usually pass that through plus a few extra cents for kWh to keep their business going. Ultimately, the provider just handles the "paperwork" side of things. If you have any trouble with the electricity, you contact your TDU.

All of this is not available for everyone (such as more rural areas), but it did greatly increase competition for many.

Re: 386DX

Not true. I ran it on an AST brand 386SX/25 with 4 MB of RAM. Yes, I had to shrink the game play window down about half way, but it was still playable (definitely not 30 fps, but playable). I do remember having to reboot with a clean AUTOEXEC.BAT and CONFIG.SYS to free up enough memory to play, though.

Re: There's always something nowadays

Backported indeed.

https://security-tracker.debian.org/tracker/CVE-2018-1000007

Re: FF native sync

The big thing missing from the Firefox native sync capability that I get from Xmarks is profiles. I have a Work profile and a Home profile, and I can select which bookmarks appears in each profile. There are some bookmarks I want to see at home and at work, and there are some that I just want at work or just at home. If I used the same FF sync profile at both locations, they'd always be completely identical.

I originally started out with Delicious and moved over to Xmarks about a year or two ago when the Delicious add-on stopped working properly. The ability to use tags on the bookmarks is a key thing for me, and with the TagSieve add-on plus Xmarks sync, I can get the Delicious functionality back. However, the latest version of the Xmarks plugins doesn't properly sync tags anymore, and the export option from the Xmarks web site doesn't export the bookmarks with the tags either. I had to restore bookmarks from a FF backup and disable the sync to avoid losing all of my tags. I've already reported the bug (and they've confirmed), but who know when it will get fixed.

I've yet to find a good, free option to get the same functionality and integration (even self-hosted would work).

Re: Fines?

"I fully support your right to free speech, so long as you also accept my right to throw sh*t at you..."

Actually, that would probably be considered assault, so not actually a right you are granted.

Re: The answer should be Yes and Yes

"No, no. broadband is cable/coax delivered internet. DSL is phone-based internet. And FiOS is fiber optics."

Now you're just playing a game of semantics. By this statement, you are saying a DSL and FiOS connection should not be called a broadband internet connection. Now I no longer have broadband service, along with millions of others! We need more competition, stat!

Re: PC technology?

That's what I see in my mind. A redesign of the original housing with a RPi inside. Done.

You've got HDMI, four USB, and it runs an emulator. The original Atari 2600 hardware is so old, computers from 20 years ago could emulate the games at full speed with no problem.

Re: libsystemd0

Are you sure that matters?

I haven't had a chance to test an upgrade yet, but all of my machines are set up using SysV (package sysvinit-core). They also all have libsystemd0 already installed. I know the key package to avoid in Debian Jessie was systemd-sysv. Perhaps it changed in Stretch? I'm hoping not.

Re: 64-bit

I think it's just more of a terminology semantics issue. I'm sure he just means 64-bit systems running on hardware utilizing the x86-based instruction set (versus ARM, MIPS, etc). Sure "amd64" or "x86_64" would be more correct, but I think most would understand what he means.

Re: Mutant daisies

I guess you forgot the Joke Alert icon...

http://www.snopes.com/nuclear-mutant-daisies/

Re: Awww.... come on !

"The whole point is that Google are showing that it's entirely possible to bring updates out, consistently, and frequently."

I don't quite see why people miss the big reason why non-Google phones have a longer delivery cycle. Have you ever used a Google phone versus another manufacturer like Samsung? If you have, you'd notice the obvious difference. Samsung has put a lot of work into making their interface consistent across all of their devices via the TouchWiz interface. If you compare the S4 through the S7, you'll notice that all of them operate very similarly (interface-wise). Google simply takes what they've created as stock and slaps it on the phone. When a new release comes out, they can easily deploy it because everything in the release is basically exactly what goes on the phone. Samsung has to update, tweak, and compatibility test all of the customizations they have made to integrate them into the new release. If Samsung ran stock, I'm sure major updates would be released a lot faster. If you look at the security point releases for the S7, Samsung actually keeps pace quite well.

You also have the issue with carrier tie-in. It's why the Samsung on AT&T can receive the update on a different timeline than the exact same Samsung on Verizon. Each carrier will want their own control over how things are built to make sure their own cruft gets included.

@AC

From my reading of the articles (and my own testing), the issue at hand is that many default SSH daemon configurations for IoT devices leave TCP forwarding enabled by default (AllowTcpForwarding). This basically means "open proxy for people that can authenticate".

Once a user authenticates (be it via password or public keys), even if they don't have a valid shell defined for their account, they can still do port forwarding. Since many IoT devices are going to be using default username/password combinations, if someone can access the SSH daemon on that device, they can use it has a proxy. If they don't have the credentials or the public key (when using key based authentication), they can't do anything, even if AllowTcpForwarding is enabled.

Moral of the story: don't allow unprotected SSH to an IoT device (or really any device) and make sure it's not using default or common credentials for access. Also, if you don't need it, turn AllowTcpForwarding off.

Re: @Phil W

To me, it looks like Yelp wants to have its cake and eat it to. They argue that they are immune because they do not control the content of the site, yet they are pursuing someone with a bad review to get a commitment to buying advertising ... to alter the content on the site.

Not quite racketeering, since I'm sure they don't try to sell advertising just to people with low review scores. Sounds a lot more like just simple (possibly indirect) blackmail.

Re: Dumb idea IMO..

The one-IP-address-per-site thing is very rarely an issue nowadays. Just use shared IP addresses and SNI. Unless you're trying to support IE on Windows XP, you'll rarely find a case where anything remotely modern doesn't support it.

@Chika

I don't think it works that way (at least for W2K16 Standard). According to the FAQ:

and

It means even if you have a single Windows guest VM that is only assigned one processor with one core, you still have to fully license the physical server it's running on. That's how the current Windows 2012 license works (but since it's processor based, it's more straightforward).

Re: Storing CC security verification codes

Per PCI DSS section 3.2.2:

Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

This goes all the way back to PCI DSS 1.2 (2008). But hey, we like to treat them more like "guidelines" than rules.

Re: bsd and systemd

I have bsdutils installed on a Debian Jessie system running sysvinit. The package depends on libsystemd0, not the full systemd init system. In fact, running sysvinit is officially support in Debian Jessie. You just have to do some work yourself.

https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#systemd-upgrade-default-init-system

Whether this will still be the case when Debian Stretch becomes stable next year is anybody's guess.

@CommodorePet: Re: Guess I'm a lucky one

The little bit I've used WMC, it's not that it's bad, it's just not as good as MythTV. The scheduling capabilities of MythTV completely blow other DVRs out of the water. Recording specific titles, time slots, previously recorded detection, automatic commercial flagging, etc. Then you have the Power Search feature where you can build an SQL query to choose the programs to record.

Since Microsoft has officially discontinued WMC on Windows 10 (and thus will stop supporting it on Windows 7 when its support ends in 2020), the options are getting scarce. Silicon Dust (makes of the HDHR) are working on HDHomeRune DVR as an alternative to WMC, but they've been working on it for almost a year and it still lacks a lot of features (and doesn't support "Copy Once" channels yet). It looks promising, but who knows when it will be finished, and I still won't be able to stream to my MythTV box.