Disobey, SYN, SSHFP, Aroflex, RDP, Telia, Outage

1. Disobey 2020 Keynote by Mikko Hyppönen (@ YouTube ). There were a few points I really couldn't agree. 1) It doesn't matter if there's a service which does something out of the box or not. If secret information leaks, it's still a leak. 2) No, technical vulnerabilities aren't (always) bugs. It's not a bug, even if how disastrous it if, it's according to the requirements specification. Program can be disastrously bad, or cause huge damage, even if it would be completely bug free. as example /users request could return full user database dump, including plaintext passwords and email addresses, and that doesn't mean it would be a bug. IT / IoT Asbestos.

2. SYN cookies ate my dog (@ kognito.com ). Yeah, syn cookies are only for special situations. It's bad that those already break window scaling. By default, if service isn't under attack, syn cookies shouldn't be used. Nothing new there in that sense.

3. Configured SSHFP DNS records (@ Wikipedia ) with DNSSEC (@ Wikipedia ) for servers using SSH (@ Wikipedia ) which aren't "so well known" that I would trust everyone to know the correct fingerprint. Of course this requires them to set the VerifyHostKeyDNS option to yes, for the hosts being verified via DNS.

4. More stories about backdoored or more like on purpose weakened encryption. T1000CA / - Aroflex (@ ceesjansen.nl ). Is there any reason to assume that this approach would have changed lately? - No? We give you this ultra high security cipher, to use for all your secret stuff. - Is it secure then? Who knows. But based on history, we might try to guess. Also see the Crypto Museum page about the Aroflex Rapid offline encryption device (@ cryptomuseum.com ). kw: Aroflex, Beroflex, T-1000/CA, Chinaflex

5. One fellow admin just mentioned, that their customer is so worried about RDS (@ Wikpedia) security issues, that they're installing VNC (@ Wikipedia ) on all work stations. Sounds just like the case where TLS10 and TLS11 are dangerously broken and weak. But if we use plain HTTP, we don't have that problem with weak ciphers anymore!

6. So classic, specification are bad, nearly non-existent, test cases are really incomplete and often incorrectly constructed, directly contradicting the specification documentation. This is exactly why programming is so awesome. Programming is 1% coding and 99% of work is trying to figure out: What they're actually asking you to do. - We're late with the project, there's no time to make specifications or tests cases. Let's just change something in the code randomly and deploy it. - For some reasons I don't believe this is the most efficient way of dealing with things, but some people seem to believe so. Well, you've probably already guessed what follows from this approach. - Maybe that's kind of evolutionary programming? I'll just make random changes to the program, until it works as desired?

7. National outage of Telia Finland / Telia Carrier Networks. Well, this is exactly why I have three parallel operators, which I can use in such situations. Also many seemed to fail, that when "internet is down", it remains to be defined "where the internet is". In this case, international connectivity was lost. But lot of national connectivity remained, yet if DNS failed that prevented many from using the systems. For these situations, I've got list of key IP addresses. I was able to use the network with IP addresses to tunnel to other ISP(s) and use the international connections via alternate route. In quick test I found already three working options. UpCloud, Elisa and Hetzner. All of those were accessible (in Finland) even if the "internet was down". Well, if I can reach alternate data center, then I can tunnel my traffic via the alternate connection and gain "transparent" connectivity back. That's not that hard after all. But I'm sure there are lots of users who haven't thought about these options, nor practiced how to easily and quickly enable the options if and when required. That's why you'll need to practice and pretest these things. As bonus, I've got connectivity from two other operators at home. So, even if those workarounds wouldn't work, then there would just be another options to use.

8. Something different? Long Range Stand Off Weapon (LRSO) (@ Wikipedia ). YAGM-180A and YAGM-181A.

2021-05-02