Category: Internet Related

Taking Advantage of DNSSEC

Great overview of what’s coming (eventually) to DNS and the internet.

SWITCH Security-Blog

According to measurements by APNIC’s Geoff Hustoncurrently 16 percent of Swiss Internet users use a DNSSEC validating DNS resolver. If you want to benefit from the added security with DNSSEC in your network then I suggest you enable DNSSEC validation in your network as well. SurfNet published a deployment guide recently that takes BIND 9.x, Unbound and Microsoft Windows Server 2012 into account.

Enabling DNSSEC validation on your DNS resolvers is one simple step and it protects you from DNS Cache Poisoning. However, if it were only for this, then the DNSSEC protocol complexity would come at a high cost for only providing this one benefit. In fact, DNSSEC is much more than only a protection from Cache Poisoning. It’s a new PKI in DNS and if you have signed your zone and are already validating then you can take advantage of that PKI. Some use cases are…

View original post 582 more words

How to Test DNSSEC and DANE on a Domain

Here’s a simple way to check if DANE is properly setup on a site:

# echo -n | openssl s_client -connect spdysync.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | tr -d :
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
SHA256 Fingerprint=461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD530BF2C2

And then compare that value against published TLSA record:

# dig +short TLSA _443._tcp.spdysync.com
3 0 1 461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD 530BF2C2

These value should match. If they don’t assume the site has been compromised.

This assumes of course the domain is also signed with DNSSEC. A properly configured domain: http://dnssec-debugger.verisignlabs.com/spdysync.com

Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap

Background:

So I host a variety of small websites on a VPS at Ramnode (affiliate link). I’ve been extremely happy with their service, and their performance per dollar ratio. Previously I had been using DigitalOcean, but their VPS performance lately was a bit lacking compared to other providers (sorry DigitalOcean, I still love ya). As part of my evaluation of a handful of providers I performed extensive benchmarking to determine which VPS provider would be best for my (amateur) needs. It was also an excuse to use Excel again — oh Excel how I miss thee — but I digress.

I’ve been a very happy camper at Ramnode until I realized the weaknesses of having picked OpenVZ Linux containers vs. KVM virtualization which I’ve used in the past. Long story short, with OpenVZ containers the user (me) does not have access to much of the low-level system (including the kernel). This leads to problems with things like iptables logging, syslog, or when trying to access information about a given partition within your container. This lack of partition information unfortunately means that when you try to backup your data with a traditional backup solution like R1Soft you — as a lowly user — do not have the right permissions to read and then backup your data within your own container. Not a problem I said — Ramnode provides customers with regular backups. That was one of the reasons I picked them. 

Well, that was the case until recently: https://clientarea.ramnode.com/announcements.php?id=368 They casually announced that they had disabled the weekly automated backup system. So that sucks, a lot. 

My VPS provider decided to stop backing up my data (even though they sold me plan saying they would) and due to OpenVZ limitations many of the common automated backup tools simply won’t work.

So I needed to come up with a solution.

Continue reading “Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap”

NodePing vs. Pingdom — server monitoring

Pingdom:

Positives:

  • mobile app
  • large number of testing locations
  • 10 checks at the yearly price is reasonably priced.
  • Built-in “PageDuty”-lite incident response is handy, though overkill for personal web servers.
  • I like the root cause analysis any time a check fails. Provides full connection output, response headers, etc. Extremely helpful when troubleshooting the cause of the failed check.

Negatives:

  • New website design is painfully slow and confusing.
  • Can’t add a new check via the mobile app
  • No option to specify host headers for a check — such as specify IP and specify the hostname directly.
  • No public status page unless you pay 2x per month.

 

NodePing:

Positives:

  • Free public status page
  • Website is fast and clean, though lacking some features
  • Pricing is attractive, even without a yearly agreement.

Negatives:

  • No mobile app
  • Relatively few testing locations
  • No option to specify host headers for a check — such as specify IP and specify the hostname directly.
  • Virtually nothing in the way of detail when a check fails. Also no easy way to go back and find a failed check after 300 successful checks have passed.

 

They both have a variety of checks — HTTP/HTTPS, UDP/TCP arbitrary port check, POP/SMTP/IMAP, and DNS checks. Both send me an email and push notification via Pushover whenever there’s an issue. Both use 1 minute checks, and confirmation from 3 locations before an alert is triggered.

I like StatusCake, but their checks seem spotty at best. They report all kinds of intermittent downtime when every other monitoring service sees zero issues. Not exactly great when your server monitoring tool is lying to you.

I also tested Monitus and CopperEgg. Didn’t like either one. I use New Relic’s free plan which is handy, also Linode’s Longview tool with the free plan.

Ultimately it looks like I’ll be going with Pingdom, even though it’s not my favourite choice.

AweSync: Bridging the Gap Between Lotus Notes and gCal

Lotus Notes to Google Calendar sync
Do you use Lotus Notes? Do you use Google Calendar in your web browser or on your phone? I’ve searched high and low looking for an option to bridge this gap — luckily AweSync solves that problem. Initially I was hesitant to give new software a shot because I had fears that I’d mess up my work calendar. Fear not! AweSync’s software worked splendidly. The software setup could not be simpler — I selected my Lotus Notes account, provided my Google Calendar authentication information, selected the Google Calendar I wanted to sync with, and clicked sync. That’s it! I went from maintaining two calendars to having them completely in sync within 5 minutes of finding out about the application. The only suggestion I have that I hope AweSync eventually moves to use OAuth for the Google authentication instead of using username/password like they currently do. I highly recommend this application for anyone in the situation I was. $20 is a very reasonable price to make my life easier.

iPad = iFailure

It’s really really rough right now, but maybe in a generation or 3 it’ll be worth buying.
Obvious shortcomings:

  • 16GB of memory (on the base unit)
  • Still no Flash in the browser
  • No camera
  • Still no multitasking
  • No SD card slot (no expandable storage)
  • No replaceable battery
  • It’s almost 2x the price of some netbooks today

It’s just a glorified iPhone right now. It’s needs a generation or 3 to mature into something worthwhile. It’s no netbook killer, that’s for damn sure.

Playlist.com – Soon to be popular? Or dead?

A new site called Project Playlist has popped up recently. It lets you create playlists (duh) and listen to music for free. You can then embed these playlists as music players in various web pages, but not Facebook or MySpace for the moment. The record labels are quite obviously not too happy about this considering you can listen to full songs an unlimited number of times effortlessly. We’ll see if this site sticks around, but for now try it out and enjoy the player embedded below:

How to download any song from Favtape.com

I’ve had my doubts about posting this information because quite honestly I’m a big fan of Favtape.com and I don’t want to see them get in trouble and/or close. That being said, I suppose it can’t hurt that much to put this information out there. Here’s a quick and simple way to download any song that you can play on Favtape.com

  1. Use Firefox (it’s not required but we all know that when you use IE god will kill kittens).
  2. Go to Favtape.com (duh) and find a song that you want.
    FavTape.com songhover
  3. Click the name of the song to begin playing it.
  4. When you hover over the name of the song you should see something like this in the status bar: http://favtape.com/play/**Artist**/**Song**.mp3  (**Artist** and **Song* obviously replaced with the appropriate information). Click on the image to the right if you don’t understand what I just said.
  5. Now you can’t simply right click and “Save link as”. You actually can’t right click at all. So how do you get the MP3 file?
  6. Method 1 – no tweaking involved:
    1. Open a new tab in Firefox (control + t).
    2. Click + hold the Artist – Song Name and drag this onto the new tab you just created.
    3. That’s it! The song should not start to download, but you’ll need to rename it because it’ll save as “fetch.mp3”.
  7. Method 2 – tweaking the Firefox settings:
    Click for full size

    1. In Firefox goes to Tools –> Options
    2. Go to the “Content” tab
    3. Find “Enable Javascript”. To the right of this you will see “Advanced” click on this.
    4. Find “Disable or replace context menus”. Uncheck this box.
    5. Click “OK” and then “OK” again.
    6. Now you can right click on the Artist – Song Name and select “Save link as”.
    7. That’s it! You can now just save the MP3 file we saw in the status bar earlier.
    8. Important Note: You may want to re-enable the “Disable or replace context menus” option because many web applications use this functionality.

Interesting Links 5.30.08

  • TimesMachine – New York Times – TimesMachine can take you back to any issue from Volume 1, Number 1 of The New-York Daily Times, on September 18, 1851, through The New York Times of December 30, 1922.
  • SuperLame! Comic Word Balloon Engine – Simply add speech bubbles to photos you upload. Useless? Sure, but fun.
  • Introduction to CSS3 – Part 4: User Interface – CSS3 brings some great new properties relating to resizing elements, cursors, outlining, box layout and more.
  • Introduction to CSS3 – Part 5: Multiple Columns – CSS3 introduces a new module known, appropriately, as multi-column layout. It allows you to specify how many columns text should be split down into and how they should appear.
  • Design Critique: Blog Platforms – Most designers are familiar with the relative pros and cons of different publishing tools – but what about the websites of the blog platforms themselves?
  • TinySong – type a song, get a link, share the full song with your friends. It’s really that simple. Works great for those “have you heard this song?” moments.
  • Adobe Labs – Adobe has released the first betas for Dreamweaver CS4, Fireworks CS4, and Soundbooth CS4. Note: betas only work for 2 days unless you have an existing CS3 serial number.
  • Fixing Twitter – I am getting sick of talk about twitter and it’s scalability problems and also frankly unqualified people slagging the service for it’s unreliability and also coming up with stupid ignorant answers to how it should be fixed.
  • Read at Work – it looks like you’re being productive, but you’re definitely not. Kind of funny, but I can’t imagine actually using it.

Interesting Links 5.16.08