Taking Advantage of DNSSEC

Great overview of what’s coming (eventually) to DNS and the internet.

SWITCH Security-Blog

According to measurements by APNIC’s Geoff Hustoncurrently 16 percent of Swiss Internet users use a DNSSEC validating DNS resolver. If you want to benefit from the added security with DNSSEC in your network then I suggest you enable DNSSEC validation in your network as well. SurfNet published a deployment guide recently that takes BIND 9.x, Unbound and Microsoft Windows Server 2012 into account.

Enabling DNSSEC validation on your DNS resolvers is one simple step and it protects you from DNS Cache Poisoning. However, if it were only for this, then the DNSSEC protocol complexity would come at a high cost for only providing this one benefit. In fact, DNSSEC is much more than only a protection from Cache Poisoning. It’s a new PKI in DNS and if you have signed your zone and are already validating then you can take advantage of that PKI. Some use cases are…

View original post 582 more words

How to Test DNSSEC and DANE on a Domain

Here’s a simple way to check if DANE is properly setup on a site:

# echo -n | openssl s_client -connect spdysync.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | tr -d :
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
SHA256 Fingerprint=461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD530BF2C2

And then compare that value against published TLSA record:

# dig +short TLSA _443._tcp.spdysync.com
3 0 1 461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD 530BF2C2

These value should match. If they don’t assume the site has been compromised.

This assumes of course the domain is also signed with DNSSEC. A properly configured domain: http://dnssec-debugger.verisignlabs.com/spdysync.com

Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap


So I host a variety of small websites on a VPS at Ramnode (affiliate link). I’ve been extremely happy with their service, and their performance per dollar ratio. Previously I had been using DigitalOcean, but their VPS performance lately was a bit lacking compared to other providers (sorry DigitalOcean, I still love ya). As part of my evaluation of a handful of providers I performed extensive benchmarking to determine which VPS provider would be best for my (amateur) needs. It was also an excuse to use Excel again — oh Excel how I miss thee — but I digress.

I’ve been a very happy camper at Ramnode until I realized the weaknesses of having picked OpenVZ Linux containers vs. KVM virtualization which I’ve used in the past. Long story short, with OpenVZ containers the user (me) does not have access to much of the low-level system (including the kernel). This leads to problems with things like iptables logging, syslog, or when trying to access information about a given partition within your container. This lack of partition information unfortunately means that when you try to backup your data with a traditional backup solution like R1Soft you — as a lowly user — do not have the right permissions to read and then backup your data within your own container. Not a problem I said — Ramnode provides customers with regular backups. That was one of the reasons I picked them. 

Well, that was the case until recently: https://clientarea.ramnode.com/announcements.php?id=368 They casually announced that they had disabled the weekly automated backup system. So that sucks, a lot. 

My VPS provider decided to stop backing up my data (even though they sold me plan saying they would) and due to OpenVZ limitations many of the common automated backup tools simply won’t work.

So I needed to come up with a solution.

Continue reading “Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap”

Emails Show Feds Asking Florida Cops to Deceive Judges

Police in Florida have, at the request of the U.S. Marshal’s Service, been deliberately deceiving judges and defendants about their use of a controversial surveillance tool to track suspects, according to newly obtained emails.

Source: http://www.wired.com/2014/06/feds-told-cops-to-deceive-courts-about-stingray/


When a normal person lies to a judge/court you get an even harsher punishment, BUT if you’re a police officer …apparently you just get more convictions — no questions asked!


AweSync: Bridging the Gap Between Lotus Notes and gCal

Lotus Notes to Google Calendar sync
Do you use Lotus Notes? Do you use Google Calendar in your web browser or on your phone? I’ve searched high and low looking for an option to bridge this gap — luckily AweSync solves that problem. Initially I was hesitant to give new software a shot because I had fears that I’d mess up my work calendar. Fear not! AweSync’s software worked splendidly. The software setup could not be simpler — I selected my Lotus Notes account, provided my Google Calendar authentication information, selected the Google Calendar I wanted to sync with, and clicked sync. That’s it! I went from maintaining two calendars to having them completely in sync within 5 minutes of finding out about the application. The only suggestion I have that I hope AweSync eventually moves to use OAuth for the Google authentication instead of using username/password like they currently do. I highly recommend this application for anyone in the situation I was. $20 is a very reasonable price to make my life easier.