Secure Dynamic Firewall, DiceKeys, IPv6, TPM, UpCloud, Firefox
Wrote a small program which dynamically updates firewall rules, based on dynamic remote end-points, to avoid need for double or some times triple, encryption. If protocol is already secure protocol, there's no point to put it in side user specific VPN, which is then tunneled via site VPN. Now it's possible to connect directly using the encrypted protocol to the end host from a specific IP address. Not "perfectly secure", but performance gains are huge especially when transferring larger amounts of data or requiring connections with low latency. Naturally this also improves routing a lot, because many extra hops are dropped.
DiceKeys (@ schneier.com), interesting concept. Yet it's just rewarming good old stuff, with some hardware / software included. No additional value, but it's a nice nerd gimmick to impress your friends.
And more IPv6 problems, routing breaks down after a while. Everything works perfectly and then packets start to run in endless loops. So frustrating. Yes, I kind of see the point why nobody wants to use IPv6 because it's endless troubleshooting, like with very bad alpha software. Packets loop until TTL runs out. Well, reason was that for some reason the router didn't see the workstation anymore. HBH traffic remained normal, yet routing didn't work anymore. Interestingly re-applying netplan configuration fixed the issue temporarily. But most probably the final issue was too short prefix availability on the network, with too long MaxRtrAdvInterval and bit too short compared to that AdvReachableTime. Did't bother to investigate what exactly was the reason. But it was combination of the radvd parameters being not optimal. Generally on small network, it doesn't make sense to send probes for reachability all the time. It's good to remember that some of the fields in radvd use ms and some use seconds, it's easiy to make 1000x fail. Ref: Netplan reference (@ netplan.io)
Finally the Outlook TPM (@ Wikikpedia) issue is fixed. Oh boy that was way annoying. Many computers were replaced because key security features got seriously broken.
After seeing so many and repeated fails, someone should make a post: "falsehoods programmers believe about email addresses". See: RFC 6530 (@ tools.ietf.org). Just got a bug report, that email address can contain non-ASCII (@ Wikipedia). Is that a bug? - Ha, nope.
At one point I claimed UpCloud team getting sloppy. But now it seems that they've fixed one of the issues, they refused to acknowledge earlier. Now the management hub search using hostname works again. It was broken for quite good a while, and they said there's nothing wrong with it. Even if it wasn't obviously working.
Firefox problems, it refuses to start, claiming that it's already running. But that's not true. Yet after starting to again analyze the root cause, it seems that for some very strange reason there are files encrypted with two different keys in my file-system, even if I should be using only one key. It seems probable that the user account TPM mess created by the Windows 10 / 2004 feature update probably messed up the EFS (@ Wikipedia) keys and having two keys is the problem. Anyway, it's good that the fact comes to the light that there are separate keys being used. Because it's highly probably that if that fact isn't known, the keys aren't either properly backed up. Time to run cipher /U (update keys) and cipher /X (export backup) commands. Yet interestingly, it's the NEWER key that fails to decrypt so often, not the old one. Go figure Micros*t! -> Files written lately, are now temporarily unreadable, older files on drive are totally readable fine, with the old key. Maybe this could also have something to do with the Office s*t. - Again, one of the primary reasons not to use disk / file / any encryption at all is the huge problems it creates. Anyway, it's interesting that file can't be accessed, but it's still ok to update the encryption keys with the same credentials / rights. Question remains why some of the newer files were stored with different key than the old ones? Now after update all the files are using the old key. Way strange. Yet I can't stop loving systems which seriously f-up things, without telling the user what the end result could be. Let's hope the issue is resolved now. Rekeyed / touched everything + backed up all the keys. And now Firefox is also working. Ha, thank you Microsoft for this one. Anyway, Firefox, you gave me disinformation. If the application can't access some files / directories (because there's no decryption key available), it does not mean that Firefox would be already running. So please, fix your error messages. So classic.