Ramblings of a Unix Geek

I've been doing this for a long time... I ramble!

More modern TLS settings

Back in 2016 I documented how to get an A+ TLS score. With minor changes this still works. But times have changed. In particular older versions of TLS aren’t good; at a very least you must support nothing less than TLS1.2. Consequences of limiting to TLS 1.2 or better If you set your server to deny anything less than TLS 1.2 then sites like SSLlab tell us that older clients can no longer connect.

It was OK before; why is it broke now?

As I was rebuilding my network I came across a problem. In my basement I had previous run a cable from my core switch around the room to the other side, where I had a small 100baseT switch to handle the equipment on that table. I’d also run another cable across the ceiling to the back of the house, where I had the Powerline network. Everything seemed to be working fine, and it had been doing so for years.

Extending the wireless on my router

3 years ago I replaced OpenWRT with a home grown router. It’s worked pretty well, but I wanted to take advantage of improvements in networking (5Ghz!) and also improve coverage. This kinda became important due to COVID lockdown and Work From Home. My library, where I was working from, had very weak network signal. I needed to do better. So I decided to look at turning off in the inbuilt WiFi and use an external WAP (Wireless Access Point, or just AP).

Firewall Basics

What is a firewall? Think of an office building with a keycard entry system. To get into the building you need to put your card to the reader. If it think you’re authorized then the gate will open and you can enter. Similarly, a number of offices require you to “badge out” as well. This badge/gate system is a simple analogy for a firewall. A network firewall may be considered to be a security gate to separate the network up into “inside” and “outside” and you define rules to allow traffic to pass through the gate.

RSA wrapped AES

Here’s a common requirement: We want to transfer a file containing sensitive data to a partner; they want us to put the data in their S3 bucket. How can we do this securely? Now you might start with putting controls around the S3 bucket itself; make sure it’s properly locked down, audit logs and so on. But there’s a number of issues with this. In particular, S3 bucket permissions are easy to get wrong.

Capital One Breach

I was asked a question around the Capital One breach. It seems that, in some areas, fingers are being pointed at Amazon, and they should be held (at least partly) to blame for this. It also seems as if Senator Wyden is also asking Amazon questions around this. There’s also a question around Paige Thompson, the hacker, and her previous relationship as an Amazon employee. If she used any insider knowledge to break into Capital One then this would erode a lot of trust in Amazon’s Web Services, and the public cloud in general.

SecDevOps? DevSecOps? SecDevSecOpsSec!

I was at a conference the other week and the discussion turned to DevSecOps, and the comment of “it should have remained SecDevOps” was made. Now I’m a security guy so I joked that it really should be “SecDevSecOpsSec”, which got a laugh. But I was actually serious because I feel the focus on DevSecOps is causing a lot of other work to be missed. DevSecOps is good… A lot of the focus on DevSecOps is around improving code quality and security without harming the productivity enhancements that DevOps has brought to the table.

When MFA isn't necessarily strong

Every day we hear of yet another data breach. One common reason is because of password compromise. The problem may be because of successfully phishing; it may be due to password re-use; it may be due to brute force attacks; it may just be weak passwords. So it is now considered best practice to use some form of Multi Factor Authentication. To quickly summarise, MFA is 2-or-more of the following factors:

Adding some smarts to a dumb aircon

I have a Friedrich aircon. It’s of the old school. The only intelligent part of it is “eco” mode (turn off the fan when the temperature is cold enough) and a simple timer (“turn on in 9 hours time”). It’s this timer that annoys me; you have to set it every day. A number of days I would go to work, forgetting to set it, and come home to a house in the mid-90F.

Extending automation to the garage

My garage door is controlled my a Lynx 455 Plus garage opener This is a pretty traditional opener; a door-bell type button inside the garage to open/close the door and a remote control for wireless access. I wanted to see if I could make this smart-enabled. Now the control side is simple enough; just put a relay in parallel to the button. If the relay closes then the opener will think the button has been pressed.