I went to my second Defcon 916 meeting yesterday. They did a great hands-on demonstration of remotely obtaining a root shell on a slightly-misconfigured GNU/Linux web server.
The principles are largely the same as from my hacking days in the 1990’s, but the tools… there’s a brave new world of resources for the would-be pwner.
I also realized it was the first time I’ve done any kind of hacking when there was someone else in the same room.
Yes, I am one of those Linux jockeys who loathe systemd. Why? In a nutshell, I have had more unscheduled downtime directly attributable to systemd than all other downtime combined over the past fifteen years.
I have one whitebox router I built that loses its iptables settings on reboot, leaving this web site and a few others unreachable until I sign on and manually reset the iptables rules. Naturally, I blamed some systemd weirdness. As it turns out, it was due to a small init script I had written to work around a bug systemd had when it was first released. So, though the mistake was actually mine, it wouldn’t have happened if there hadn’t been an opaque bug in systemd.
I just hope the Devuan gets the ongoing love it deserves.
I attended DEFCON 916 today, a local group of hackersorts. I haven’t been to a DEFCON since near the beginning (1997, IIRC) but there seem to be few local events for the geeky crowd. I’ve been doing my infosec work in almost total isolation since moving to Sacramento, so it was nice to meet some of the tribe IRL.
I struggled for years with SSL certificates. They were often expensive, limited, and most of the CAs I had to deal with seemed kind of… sleazy. I remember it taking weeks and way too much money to get my first certificate for the now-defunct ssl.guerillaphysician.com domain. I’ve always felt, though, that SSL/TLS should have been the default web protocol from the beginning.
I just renewed my membership to TidBITS. If you’ve never heard of TidBITS, you should check them out. They have been publishing continuously online for 28 years, and their content is second to none. They also host an amazing online discussion list, TidBITS-Talk. The site’s content is focused on Apple news and technology, but the quality of the journalism is so high and the coverage is broad enough that there is likely something there for everyone.
Membership is completely optional, so check it out. It is not hyperbole to say that TidBITS has improved the quality of my life every week for the past quarter century.
Ha! It just occurred to me that I have now embraced three technologies that I have heretofore avoided: WordPress itself has had a number of security issues, and PHP and mySQL have a level of configuration complexity that can lead to vulnerabilities. But that’s history, right? At least I am isolating these technologies on their own physical box away from sensitive information. Time will tell.
I’m pleased with how the pages are looking after migrating to WordPress.
I am planning on keeping the ancient legacy pages as is, but I want to get rid of all of the TWiki pages, since I’d like to not have to worry about TWiki security vulnerabilities.
I’m doing some reorganizing. I am moving many legacy pages to TLS-secured servers and starting a slow migration away from the TWiki collaboration platform I have used for many years. My blog, looseassociations.com, has been migrated to WordPress. I’m slowly moving TWiki content from the risley.net domain into WordPress. The ancient pre-TWiki risley.net pages are still here, though they might be kind of hard to find (and likely not worth the effort).
I am doing my best to preserve the deep links from other sites that I know about, but there will be casualties.