SMLR 321: Stay 127.0.0.1
Podcast: Play in new window
Subscribe: Apple Podcasts | RSS
Downloads:
Contact Us:
show (at) smlr.us or the Contact us page
On the Lawrence Systems Forums
https://forums.lawrencesystems.com/c/smlr-podcast
Intro:
Tony Bemus, Tom Lawrence, Phil Porada and Jay LaCroix
Sound bites by Mike Tanner
Phils GitHub
The LawrenceSystems YouTube Channel Where videos
https://www.youtube.com/user/TheTecknowledge
Jay’s Site
Jay’s Bash Prompt https://pastebin.com/kzPjE8y4
Show Notes
News
[Tom]
Use of proprietary software is ‘plummeting’, finds Red Hat report
https://www.redhat.com/en/enterprise-open-source-report/2020
[Phil] Protect our Speech and Security Online: Reject the Graham-Blumenthal Bill
https://act.eff.org/action/protect-our-speech-and-security-online-reject-the-graham-blumenthal-bill
Members of Congress have mounted a major threat to your freedom of speech and security online. Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) recently introduced a bill that would undermine key protections for Internet speech in U.S. law. It would also expose providers of the private messaging services we all rely on to serious legal risk, potentially forcing them to undermine their tools’ security.
- The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act) would create incentives for companies to “earn” liability protection for violations of laws related to online child sexual abuse material.
- It’s basically FOSTA/SESTA from 2018
- The so-called EARN IT Act (Senate bill 3398) is anti-speech, anti-security, anti-innovation, and unnecessary.
[Tom] Cloud’s Full
https://www.theregister.co.uk/2020/03/24/azure_seems_to_be_full/
Customers of Microsoft’s Azure cloud are reporting capacity issues such as the inability to create resources and associated reliability issues.
Outage-tracking website Down Detector shows quite a few reports about UK Azure issues today, yet the official Azure Status page is all green ticks. The inability to provision resources does not count as an outage as such – though it is more than an annoyance since it is not always feasible to create the resource in an alternative Azure region. Some types of resource have to be same region in order to work correctly without a lot of reconfiguration.
[Tom]
GIMP 2.10.18 Released, Includes New 3D Transform Tool
[Jay] Ubuntu Data Collection Report is Out! Read the Interesting Facts
https://itsfoss.com/ubuntu-data-collection-stats/
- Average Ubuntu install takes 18 minutes: Take that Windows 10 Update
- Not many dual boots only 7.8%, even less encrypt the disk, only 3.8%
- USA has the most number of users followed by Brazil, India, China and Russia.
[Tony]
Diagram with anyone, anywhere.
diagrams.net is open source, online, desktop and container deployable diagramming software
[Tom]
Pet the cat, own the bathrobe: Linus Torvalds on working from home
Torvalds admits that when he started, “I worried about missing human interaction — not just talking to people in the office and hallways, but going out to lunch etc. It turns out I never really missed it.”
[Phil] Let’s Encrypt CAA Rechecking Bug aka the mass revocation event
https://letsencrypt.org/caaproblem/
- What is CAA?
- CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was standardized in 2013 by RFC 6844 to allow a CA “reduce the risk of unintended certificate mis-issue.” By default, every public CA is allowed to issue certificates for any domain name in the public DNS, provided they validate control of that domain name. That means that if there’s a bug in any one of the many public CAs’ validation processes, every domain name is potentially affected. CAA provides a way for domain holders to reduce that risk.
- BR §3.2.2.8
- As part of the issuance process, the CA MUST check for CAA records and follow the processing instructions found, for each dNSName in the subjectAltName extension of the certificate to be issued, as specified in RFC 6844. If the CA issues a certificate, they MUST do so within the TTL of the CAA record, or 8 hours, whichever is greater.
- The bug:
- When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.
- Impact:
- 2.6% active certificates that were potentially affected by the bug, totalling approximately 3 million certificates
- What did we do and what was our decision:
- Notifications were sent out to subscribers as fast as possible at the time
- 1.7 million affected certificates were replaced in less than 48 hours
- We chose to not revoke the remaining 1+ million certificates there were not renewed. Those remaining 1+ million certificates are evaluated weekly, some are revoked, and some will naturally expire due to the 90 day life times.
- What does this mean? Should you trust Let’s Encrypt?
- That’s really up to you. It’s definitely worth reading the post-mortem and minute by minute playback on the community forum.
[Tony]
Penguicon 2020 Has been Canceled
https://2020.penguicon.org/2020/03/canceled/
[Tony]
Coronavirus Impact: Can We Run Out of the Internet Because of People Working From Home?
US Government Sites Give Bad Security Advice
https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
Track Coronavirus Disease 2019 (COVID-19) Statistics From Commandline
https://www.ostechnix.com/track-coronavirus-disease-2019-covid-19-statistics-from-commandline/
https://www.ostechnix.com/track-coronavirus-disease-2019-covid-19-statistics-from-commandline/
This content is published under the Attribution-Noncommercial-Share Alike 3.0 Unported license.