@jschauma@mstdn.social
@jschauma@mstdn.social avatar

jschauma

@jschauma@mstdn.social

Vell, I'm just zis guy, you know?

This profile is from a federated server and may be incomplete. Browse more on the original instance.

jschauma, to ai
@jschauma@mstdn.social avatar

Cool, cool, now uses your workspace data to train its . Gotta hoover up all that juicy data. Surely there's no copyrighted or otherwise sensitive content on any of the corporate instances, and leaking that is totally impossible, pinky-promise.

https://slack.com/intl/en-gb/trust/data-management/privacy-principles

(You still have the option to opt out. For now...)

jschauma, to debian
@jschauma@mstdn.social avatar

On the topic of "key rotation, it's not just for HTTPS", @hanno finds hundreds of DKIM keys apparently generated using the #Debian #OpenSSL predictable PRNG vulenrability from 2008 (CVE-2008-0166):

https://16years.secvuln.info/

(And yes, #BIMI is still stupid.)

jschauma, to random
@jschauma@mstdn.social avatar

Happy 50th Birthday, !

"A Protocol for Packet Network Intercommunication" by Vinton G. Cert and Robert E. Kahn

Published May 1974 in IEEE "Transactions on Communications" and including the definition of 16 bit port numbers, relative sequence numbers, buffering and retransmission based on window size and other flow control.

https://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/cerf74.pdf

Via Patrik Fältström on internet-history@lists.isoc.org:
https://elists.isoc.org/pipermail/internet-history/2024-May/009758.html

jschauma, to random
@jschauma@mstdn.social avatar

OpenSSL is the latest major Open Source project moving distribution / development to GitHub:

https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/

Can't say I'm a fan of centralizing all our development, history, and releases of global, distributed, open source infrastructure pillars under one for-profit US company.

jschauma, to markdown
@jschauma@mstdn.social avatar
jschauma, to random
@jschauma@mstdn.social avatar

Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the :

https://tukaani.org/xz-backdoor/review.html

jschauma,
@jschauma@mstdn.social avatar

Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the :

https://www.openwall.com/lists/oss-security/2024/04/16/5

Noteworthy:

jschauma, to random
@jschauma@mstdn.social avatar

Every so often, I need to chase down some aspect of email validation (, , , ...). This involves a number of records and queries, but I may forget just which ones. So here's a quick /DNS cheatsheet:

jschauma,
@jschauma@mstdn.social avatar

Brief summary of the different records following in this thread.

Longer explanation in my video lectures here:
https://www.youtube.com/playlist?list=PLDadzdouM0VBkac7BMCsEMCcmgHoqRUz6

jschauma,
@jschauma@mstdn.social avatar

A single domain may have multiple MX records which may or may not be in the same domain (which itself may or may not be within the original domain):

jschauma,
@jschauma@mstdn.social avatar

For results with the same preference, mail servers MUST (per RFC2821) pick one at random; otherwise, the lower preference are preferred.

Subdomains may have their own distinct MX records. If a domain name does not have an MX record, but it has A or AAAA records, then one of those addresses is used ("implicit MX"). However, if no records are found, there is no subdomain climbing.

MX records MUST NOT point to a CNAME, but CNAMEs of the original name are followed:

jschauma,
@jschauma@mstdn.social avatar

@partim nice, will need to check it out. Here’s a related tool, although perhaps more specific purpose: https://github.com/zuzazuza/domaincheck

jschauma, to random
@jschauma@mstdn.social avatar

Today's Venn Diagram of Terrible Things

jschauma, to random
@jschauma@mstdn.social avatar

Wait, so nowadays Linux systems don't come with a syslog any more? Tried Fedora 39 and Debian 12 and neither has either of syslogd, rsyslogd, nor syslog-ng, so out of the box you can't remote log. sigh

jschauma, to random
@jschauma@mstdn.social avatar

This new HTTP/2 DoS vulnerability (CONTINUATION Flood) was just disclosed after several weeks of well coordinated disclosure across all the major HTTP implementations yielding multiple CVEs:

https://www.kb.cert.org/vuls/id/421644

Detailed write-up by Bartek Nowotarski, who discovered the issue:
https://nowotarski.info/http2-continuation-flood-technical-details/

jschauma, to random
@jschauma@mstdn.social avatar

Honestly, tho, GNU indirect functions (as abused by the #xz #backdoor) do sound like a malware developer's dream / syadmin's nightmare. And you thought LD_PRELOAD was a footgun...

https://sourceware.org/glibc/wiki/GNU_IFUNC

jschauma, to random
@jschauma@mstdn.social avatar

This is quite neat: an #xz #backdoor poc that patches liblzma to accept a different ed448 key so you can view the full attack in action, even if you can't use this for detection or exploitation.

https://github.com/amlweems/xzbot

jschauma, to random
@jschauma@mstdn.social avatar

For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the actually validates this claim.

We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).

jschauma,
@jschauma@mstdn.social avatar

@Viss srsly, lawyers ruin everything

jschauma, to random
@jschauma@mstdn.social avatar

10.0 has been released! This has been a long time coming, with recent security issues necessitating updates and delays.

NetBSD 10 includes POSIX.1e ACLs, experimental WireGuard support, and a range of performance improvements:

https://netbsd.org/releases/formal-10/NetBSD-10.0.html

(It's worth noting that NetBSD is not affected by the , both because that targets Linux/glibc/systemd and because the version of xz shipped with NetBSD predates the inclusion of the backdoor code.)

jschauma, to random
@jschauma@mstdn.social avatar

Regarding the backdoor, I've seen statements like "if you're not running a publicly exposed sshd, you're safe". This is not the case and reflects a pretty outdated security mindset. You're still vulnerable, because you shouldn't assume internal connections are inherently trustworthy.

Yes, it limits exposure, but that's not the same - you still have a high-severit incident on your hands. Anyway, just here stating the obvious, as usual. ✌️

jschauma, to random
@jschauma@mstdn.social avatar

Motherfucking Apple again.

“This computer that you’ve been using for the last two years? Never seen that before, so I’m going to delete all your playlists on both your phone and that computer. Enjoy!”

jschauma, to random
@jschauma@mstdn.social avatar

Today in stupid games: sorting by numeric IPv4 address

Input: a file with '|' separated fields with IPv4 addresses in the third field

awk -F'|' '{print $3 "%" $0 }' | # pull the address to the front \
sort -t. -k1,1n -k2,2n -k3,3n -k4,4n | # numerically sort each octet in order \
sed -e 's/^.*%//' # strip the leading field again

jschauma, to sysadmin
@jschauma@mstdn.social avatar

Hey Fediverse! The Spring semester is about to start, and I'll be teaching System Administration again:

https://stevens.netmeister.org/615/

Topics covered include: basic operating system & filesystem concepts, software installation & package management, config management, automation, tools development, TCP/IP networking, common services, system security.

All lectures are online as free videos; if you'd like to follow along, here's the playlist for Week 1:

https://www.youtube.com/playlist?list=PLDadzdouM0VCV7tjurqM8FHY6APK9wvJl

jschauma,
@jschauma@mstdn.social avatar

In our last class, we covered from a perspective. I don't have lecture videos for that week, but here are the slides:

https://stevens.netmeister.org/615/09-writing-system-tools.pdf

We cover "scripting" vs. "programming" vs. software engineering, choosing the right tool for the job, extol the virtues of 's taint checking, lambast "clever" code, and frequently refer to F. Brooks and the Mythical Man-Month. (Yes, we could spend a whole semester on this topic, too.)

jschauma,
@jschauma@mstdn.social avatar

This week, our #SysAdmin syllabus covers backups and restores, including use of dump(8), #rsync, and flux-capacitors (e.g., ZFS snapshots, Apple TimeMachine, NetApp's WAFL). We also were supposed to talk about #syslog and monitoring, but honestly, chances are we'll spend most of our time on the #xz #backdoor.

Playlist of lecture videos on #backups:

https://www.youtube.com/playlist?list=PLDadzdouM0VArSooGALeG1U0y4_eYqJu8

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • InstantRegret
  • magazineikmin
  • GTA5RPClips
  • osvaldo12
  • thenastyranch
  • Youngstown
  • everett
  • slotface
  • mdbf
  • rosin
  • ngwrru68w68
  • kavyap
  • DreamBathrooms
  • anitta
  • Durango
  • khanakhh
  • modclub
  • cubers
  • vwfavf
  • cisconetworking
  • tacticalgear
  • ethstaker
  • tester
  • Leos
  • provamag3
  • normalnudes
  • JUstTest
  • All magazines