Ramblings of a Unix Geek

I've been doing this for a long time... I ramble!

Digital Safe version 2

Previously I modified a cheap electric safe to work with an Arduino, because the original controller board had failed. But because my build skills aren’t the best, I kept getting serial port issues, and more than once needed to get to the emergency key to open the safe. At the same time someone asked me if the same design would work with one of the real cheap ($30) safes on Amazon.

Using RSA and ECDSA on Apache with CentOS / RedHat

Previously I described a relatively modern set of TLS settings that would give an A+ score on SSLtest. This was based purely on an RSA certificate. There exist another type of certificate, based on Elliptical Curve cryptography. You may see this referenced as ECC or, for web sites, ECDSA. An ECDSA certificate is smaller than an RSA cert (eg a 256bit ECDSA cert is roughly the equivalent of a 3072bit RSA one).

Data Loss Prevention (DLP)

Working in Cyber Security I’m frequently reminded that the reason we do all the things we do is, ultimately, to protect the data. After all, apps are there to process data, servers (and clouds) are there to run apps and store data. So the whole of cyber security is there to protect the data. It may be Identity and Access Management (restrict access to data to those people who should have access to it).

More modern TLS settings

Back in 2016 I documented how to get an A+ TLS score. With minor changes this still works. But times have changed. In particular older versions of TLS aren’t good; at a very least you must support nothing less than TLS1.2. Consequences of limiting to TLS 1.2 or better If you set your server to deny anything less than TLS 1.2 then sites like SSLlab tell us that older clients can no longer connect.

It was OK before; why is it broke now?

As I was rebuilding my network I came across a problem. In my basement I had previous run a cable from my core switch around the room to the other side, where I had a small 100baseT switch to handle the equipment on that table. I’d also run another cable across the ceiling to the back of the house, where I had the Powerline network. Everything seemed to be working fine, and it had been doing so for years.

Extending the wireless on my router

3 years ago I replaced OpenWRT with a home grown router. It’s worked pretty well, but I wanted to take advantage of improvements in networking (5Ghz!) and also improve coverage. This kinda became important due to COVID lockdown and Work From Home. My library, where I was working from, had very weak network signal. I needed to do better. So I decided to look at turning off in the inbuilt WiFi and use an external WAP (Wireless Access Point, or just AP).

Firewall Basics

What is a firewall? Think of an office building with a keycard entry system. To get into the building you need to put your card to the reader. If it think you’re authorized then the gate will open and you can enter. Similarly, a number of offices require you to “badge out” as well. This badge/gate system is a simple analogy for a firewall. A network firewall may be considered to be a security gate to separate the network up into “inside” and “outside” and you define rules to allow traffic to pass through the gate.

RSA wrapped AES

Here’s a common requirement: We want to transfer a file containing sensitive data to a partner; they want us to put the data in their S3 bucket. How can we do this securely? Now you might start with putting controls around the S3 bucket itself; make sure it’s properly locked down, audit logs and so on. But there’s a number of issues with this. In particular, S3 bucket permissions are easy to get wrong.

Capital One Breach

I was asked a question around the Capital One breach. It seems that, in some areas, fingers are being pointed at Amazon, and they should be held (at least partly) to blame for this. It also seems as if Senator Wyden is also asking Amazon questions around this. There’s also a question around Paige Thompson, the hacker, and her previous relationship as an Amazon employee. If she used any insider knowledge to break into Capital One then this would erode a lot of trust in Amazon’s Web Services, and the public cloud in general.

SecDevOps? DevSecOps? SecDevSecOpsSec!

I was at a conference the other week and the discussion turned to DevSecOps, and the comment of “it should have remained SecDevOps” was made. Now I’m a security guy so I joked that it really should be “SecDevSecOpsSec”, which got a laugh. But I was actually serious because I feel the focus on DevSecOps is causing a lot of other work to be missed. DevSecOps is good… A lot of the focus on DevSecOps is around improving code quality and security without harming the productivity enhancements that DevOps has brought to the table.