Age, Minisign, 36c6, RRSIG, RBAC, PoLP, Notify, RDC

  • Studied age encryption tool @ GitHub and specs for age-encryption @ Age-Encrytipion. Yet again, all the basic stuff in the package and nothing new? X25519, ChaCha20-Poly1305, SHA-256, HKDF, HMAC, MGF1, CSPRNG, scrypt, ssh-rsa, ssh-ed25519. Yet it doesn't support signing the files. Which is kind of bummer. With shared secret, successful decryption (with hash verification) is almost like ahem, data would be signed. But with public key crypto, signing should be mandatory, because anyone can do the encryption part successfully.

  • Of course you can separately use minisign a light weight tool for signing files. But I don't know if this is anymore a better way of doing things, than using a single program like the loathed GnuPG which can do both easily.

  • 36C6 notes - "2.4GHz: use channels 1, 5, 9 or 13 @ 20MHz". Yes, exactly as I've been doing all the time. Reminding about about obvious things made me smile: physical security, data encryption, data backups, labeling your hardware, setting BIOS password, the insecurity of locks (funny with lock picking challenges), never lose sight of your laptop, don't use bad passwords, secure your boot loader, proper access control, no root shell, lock your workstation, use strong passphrases, full disk encryption, uninstall flash, don't use unencrypted connections password & cookies will leak, check public key fingerprints / certificate signatures (https, ssh, imaps, smtps, tls, etc). Internet Explorer not recommended, don't trust anyone, don't let anyone see your passwords, or even typing of passwords, Firewire can be used to copy system RAM even if system is locked, remember IPv6 firewall, disable automatic login / logon,

  • Nice article by BBC about Future - how to survive a nerve agent attack. Also promoting new technologies like hyperspectral cameras to detect chemical weapons.

  • Found out that local transit authority's route planner isn't working at all, because they have expired RRsig records in their DNS configuration. This sums it pretty much up, why nobody wants IPv6 nor secure systems, because those things just won't work or require extra maintenance, extra configuration, increase changes of configuration mistakes, etc. Simpler is better, even if it would be totally insecure. Old school. Who needs authentication, who needs public keys, who needs encryption, who needs data validation / sanitization. Nope, just get it done and working. - Maybe bit of sarcasm in the air, but who cares. Lot's of systemd-resolved and dnssec debugging, let's see what the final outcome will be ... I also found out that one of my friends servers were similarly mis-configured. RRsig and NSEC / NSEC3 records are present, but DS record is missing. -> Resolved fails the lookup, but as example Cloudflare and GoogleDNS are totally happy with this situation. Should the validation fail or not? Clearly very confusing situation.

  • I'm just wondering, if I've mentioned ever default credentials. Well, once again. But that's it, not going to say more. So sick'n'tired of this topic.

  • Long long discussions about access control and rights management. Principle of Least Privilege (PoLP) and Role-Based Access Control (RBAC).

  • The joy of multi-platform communications. Now the monitoring system can report issues over various channels: Email, Telegram, Slack, Teams, Discord, Matrix, Twitter and SMS. Depending on error severity, situation and reachability on specific delivery channels. As example for most of issues SMS is only fallback channel, if everything else fails. Monitoring systems are running on three independent data centers and ASNs.

  • Remote Desktop UDP hanging all the time. I just finally had time to weed out the problem. And I found out that Remote Desktop Protocol (RDP) / Remote Desktop Connection (RDC) hanging constantly is related to IPv6 configuration, and bad Remote Desktop Software which doesn't handle the issues well. Yet another problem where disabling IPv6 or UDP will immediately fix the problem. But now I know how to fix the issue, the right or the wrong way. But the hanging isn't mystery anymore. Of course well written client should also handle this situation by revering back to mode where it works and not annoying users with constant hangs. But why?!

  • Something different? AGR-20A Advanced Precision Kill Weapon System (APKWS).

  • Google Sites update - Just up to date note while publishing, it seems that Google Sites has once again changed default templates. Now new page does contain header and it's with new font and centered by default. Last week header was missing and font, size, type and alignment needed to be manually set. Also Google Sites became unreachable while writing this post, for around 15 minutes, really annoying. Lost some changes and text due to the poor reliability of the service. After that the publish preview didn't correctly detect all the changes. Something is clearly very broken here. So typical.

2020-12-06