* Posts by joesomeone

29 publicly visible posts • joined 6 Jun 2020

Cisco to sell everything-as-a-service – even core networking hardware – and cut costs by a billion bucks


Re: Doesn't add up

Don't worry.. in about three months from now, we'll be back here with new corporate statements.

Super Cali COVID count is somewhat out of focus, server crash and expired cert makes numbers quite atrocious


Certificates are becoming the new DNS?

The old IT adage, the problem is always DNS. Seems like certificates are gunning for the top place of crappy IT problems.

And as to be expected... nothing more permanent than a temporary solution.

That's how we roll: OWC savagely undercuts Apple's $699 Mac Pro wheels with bargain $199 alternative


Re: patent-pending design

Looks like I'm not that far off on the split nut design.

What I don't get is why you would spend $200 on casters because $700 was too much, and yet... the kit comes with wheel chocks to prevent unintended rolling. (Scroll down a bit, they don't use HTML anchors.)

Thought this shit could only be made up in Hollywood. Guess that and in Apple Jeamland.

Thumb Up

Re: Lifetime warranty eh?

I don't know about OWC today, as the last time I dealt with them was when they were selling Gateway Destination TVs faster than they could stock them. Back then their warranty was basically no quibble and their support team excellent, as long as you were honest. (Meaning you weren't trying to pull shit over them.)


Re: patent-pending design

I'd suspect the patent is a "D" patent, or a design patent. Doesn't take too much. Design a different molding for a power cord and ta-da, "patented design".

A quick search at the USPTO doesn't come up with anything new from them.

I can't help but notice that the thing above the castor looks like a slip-on twist nut.

Perhaps a tad bigger is all.

Amazon's auditing of Alexa Skills is so good, these boffins got all 200+ rule-breaking apps past the reviewers


Re: Skills?

Your $Dayjob is clearly not in marketing.

Microsoft tells AMD-powered Insiders they're unblocked in new Windows 10 Dev Channel build: 'Oh no we're not!'


Re: the much-vaunted Eye Contact feature

I'm sure this will look just as natural as the non-Chroma Keyed background obfuscation/picture injection from Teams.

Where ears and the sides of your head get cut off when you turn your head and if you aren't fully bald or with a full head of hair... all sorts of weirdness is going on above you.


Oh and to answer your question on why... this is because with everyone WfH, they've come to realize that it's actually hard to talk TO a camera while trying to NOT focus on your return video feed or any number of other distractions going on. :)

Twilio: Someone waltzed into our unsecured AWS S3 silo, added dodgy code to our JavaScript SDK for customers


Re: Open S3 bucket you say?

Can we impale them on a spike as a warning to others?


Cool! But maybe not for the BA break-in?

Just looked into SRI and that seems like some cool ass stuff. I am a bit concerned that W3 consider SHA384 as the baseline hash... seems like a bit of overkill, especially when considering mobile devices and power consumption. Maybe SHA computing has been optimized in hardware? But then again, scripts don't tend to be that big I guess.

But re-refreshing myself with the BA breakin, their core website was broken into and had their own HTML hacked to pull a script loaded from a non-related domain that kinda looked like it might belong to British Airways...

So, I'm not sure how SRI would have helped here. This wasn't a third-party hosted script that was changed. This was their first-party website hacked to load a third-party script.

The correct solution would have been to (carefully) monitor changes to critical files.. and I'm assuming that their payment pages should have fallen under PCI 11.5(a).

960 LinkedIn employees will be let go... If only there was some kind of 'social network for suits' to assist job hunts




Summarizes the email addresses that SHALL exist, as stipulated in other RFCs and within itself, depending on services that the domain provides.

Finally, made it to the weekend, time to breathe, relax, and... Cloudflare's taken down a chunk of the web


Re: DNS is supposed to be decentralised

Well.. DNS is decentralized. You may recall that before DNS, name resolution depended on a flat-file and you had to retrieve that flat file in order to get any updates/changes.

You're also conflating two (or three) sides of DNS. The client's side and the authoritative (the client's resolver is somewhere in-between) side.

Your client can have as many resolvers listed and they'll resolve whatever it is that they can communicate with (within reason... there's a whole host of other rules that the OS relies on before dismissing the primary DNS server and moving to the secondary/tertiary server). On the other end, well... that's only as good as the DNS servers chosen by that domain's operator.

You mention AWS... it is interesting that AWS takes a very peculiar approach to this issue. In order to prevent downtime either from overload and/or some weird outage of say the .com or .net or .org TLD DNS servers, they actually use four different TLDs... .com, .net, .org and .co.uk for their nameservers.

The issue isn't that DNS isn't decentralized.. It is that CloudFlare is becoming "too big to fail".

My question is why weren't they following the golden rule, "read-only Friday". Routine is routine, until something shits the bed.

Thumb Up

Glad that they don't use their own infrastructure for their status domain...

They got that part correct... *cough* AWS.

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle



A lot of big businesses moved quickly and with relative aplomb to switch to nearly 100% Work from Home for millions of employees across the world just a few months ago, often with only 1-2 weeks notice.

If that type of coordination can be mustered and executed across the entire enterprise, I think five days to swap out certificates are within the realm of possibility.

Plus, I would hope that those who deploy EV certificates read the fine print, fully understood what they were purchasing and put this into their Risk Assessment, before deploying EV certificates.


Certificates are hard... to do properly

Certificates are a bitch and chore. If done properly, they're hidden within a HSM and given the second word of that name, those are no joke.

And the average website isn't going to acquire an EV certificate. Only companies that need/want the extra level of accreditation and protection that EV provides is going to take this route.

And part and parcel of that protection are audits like this and the nuke it from orbit response when something doesn't pass the sniff test.

Because all these things matter to shareholders.


Details matter....

I'm not sure your list of banks are entirely correct.

The ICAs that are being revoked (if you read the linked KB from the article) are -

DigiCert Global CA G2

GeoTrust TLS RSA CA G1

Secure Site CA

Thawte TLS RSA CA G1

Cybertrust Japan Secure Server ECC CA

DigiCert Global CA G3

GeoTrust TLS ECC CA G1

Thawte TLS ECC CA G1

NCC Group Secure Server CA G3

Aetna Inc. Secure CA2

DigiCert SHA2 High Assurance Server CA

NCC Group Secure Server CA G2

Plex Devices High Assurance CA2

TERENA SSL High Assurance CA 3

Looking at AMEX, I don't see their EV cert chained to any of these ICAs. Yes, they are chained to "DigiCert", but not one of these specific ones. And the cert for AMEX was issued back in February, so this isn't a mitigated certificate. Plus, the signing ICA isn't one of the replacement ICAs.

Same with HSBC, that's issued by the same ICA as AMEX, DigiCert SHA2 Extended Validation Server CA, which isn't listed on for execution tomorrow.

Same with Clydesdale Bank....

I haven't checked your whole list, but I wouldn't get entirely out of breath here.

Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5


Re: Something about motes and beams...

That is O365, so Microsoft has a baseline configuration for send connectors, but their tenants are free to do whatever they want, including enforcing TLS for one or all destination domains or relays, so on and so forth.

It is unfortunate that they don't execute a QUIT either and instead allow the socket to age out.


Re: Something about motes and beams...

Maybe the sender's send connector enforces TLS.

Given the DNS PTR naming convention, it looks like this might be part of their low-quality/SRS IP pool. At least that's what I gather from reading the tea leaves.

But it doesn't sound like you're missing anything important, nevertheless. :)

You've accused Apple of patent infringement. You want to probe the iOS source in a closed-room environment. What to do in a pandemic?


Re: Is this the same Maxell

And the dude in the chair being blown away by the audio from a tape - https://www.youtube.com/watch?v=Zjf5pdJJ44Q

Now I wonder what came first... the commercial or Apocalypse Now. Based on a two-second google, seems that the movie came first. And of course the song predates the commercialization of electricity or the discovery of viruses, so that came first.


Re: and two days (or less) later

With all those lines of code, I'm sure it wouldn't be too hard to put in a small haikyu buried somewhere deep within that specific copy of code it that'd allow Apple to finger Maxell post-leak.


Re: Why not use a screen and wireless keyboard?

Because lawyers are also officers of the court. While the proceedings are adversarial, they are not without scruples.

Plus their license to practice law in that state could be on the line for any shenanigans detected by Apple after the devices are returned.

And we're talking about Apple here, not Fazio Mechanical Services. I'm sure these are self-contained laptops and have some decent auditing cranked up on them.



Did you like intentionally misquote the article? I also checked the court filing and don't find your quoted text anywhere.

Here is the paragraph, copy-pasted verbatim from the article with the emphasis mine -

"The reviewers also have to give Apple at least an hour's notice before they start up the machine, so they can be given a single-use password to access the computer for that session, and inform them the moment they have finished. "

So it's done with a TOTP code that probably has a 60 minute lifespan.

Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Big Brother

Re: Naive or Complicit?

ISPs have plenty of information on you without DNS. DNS is just a cherry on the top that puts a name to an IP (which isn't a PTR RR). They record every single data flow in and out of your home. They know the IP you're going to, how much data is transiting that flow, what AS you're communicating to and over what port and packet type (6 or 17 most likely) that flow is communicating over.

With that information, your ISP can infer the places your going based on the IP(s) that other ISP customers are getting from unprotected DNS queries.

And with a bit of inspection, it is trivial to know precisely where you're going with a little packet inspection of the TLS ClientHello packet and the bit of it called "SNI" (Server Name Indication). This is a critical piece of the TLS protocol that allows for more one secured FQDN to exist on the same IPv4 address and the website FQDN is listed in plaintext. I don't know if this is a thing for IPv6 hosted sites.

Fortunately, this glaring hole was sorted in TLS1.3 with the creation of ESNI (E=encrypted). But I'm sure all the firewall and security appliances manufacturers out there are looking for ways to re-filter corporate comms. Maybe they'll just block "_esni.FQDN" queries.

Hopefully TLS1.3 will be adapted faster than IPv6. But it does seem to have almost as many moving parts and fall-back processes to provide continuity.


For what end?

In this example, Comcast can inspect all your UDP/53 traffic coming out of your home which contains all your questions.

Sure, might be a bit harder than correlating some DNS logs and it (shouldn't) allow them to choose one answer over another... but Comcast is running DPI throughout their environment, so let's consider it a trivial matter.

The correct answer to this is to look no further than DoT.

I might add that DoH (and DoT) isn't the panacea that everyone is talking about. Pure opaqueness (outside of the company that's providing that DoH infrastructure) for DoH and DoT requires TLS 1.3, Encrypted SNI and DNSSEC to be supported by both ends of each query/connection. We're still a long way from that, and that seems like a lot of potential weak links in each request.

Fasten your seat belts: Brave Reg hack spends a week eating airline food grounded by coronavirus crash


Re: Tastes differ...

Technically I think the cabin altitude is between 5,000 and 7,500 feet. 25,000 feet and everyone'd be passed out and/or dying.

As Uncle Sam flies spy drones over protest-packed cities, Homeland Security asks the public if that's a good idea


Re: I don't even see an option to make a comment.

> A drone operator is looking at a screen, possibly dozens of miles away giving them a detachment from the human situation unfolding below the drone that a helicopter pilot may not feel.

Not dozens of miles away. Hundreds or thousands of miles away in some cases - https://en.wikipedia.org/wiki/Creech_Air_Force_Base.

In this particular article, the drone took off from North Dakota (Grand Forks Air Force). I don't know where CBP houses their "pilots", but given that it flew from the "top-left corner" of ND to Minneapolis, MN, it flew at least hundreds of miles to or from its pilot (unless it was some perfect triangle between the start, flyover and pilot)


Re: I am reminded...

Technically the third step. The first step discontinued those sales in 2015, only to be rescinded by that raspberry sized AG Jeff Sessions in 2017.


I am reminded...

Of a Jim Jefferies quote from his comedy show Bare regarding the second amendment...

"See, the one thing that I do really agree with with the right to bear arms, I really agree with… That the real reason it was written was so that you could form a militia to fight against a tyrannical government. In case the government became a bunch of cunts, you could all get your guns and fight back, and that’s why it was written. – [Audience cheering] – Yeah! And that made a hell of a lot of sense when it was just muskets. But you do know the government has drones, right? You get that? You’re bringing guns to a drone fight!"

Kinda goes without saying, but shore up your admin passwords or be borged by this brute-forcing botnet


Re: Goes Without Saying

Because internet security is like condoms or car insurance. Their value isn't appreciated until its too late.