Archives
Links
If you have your own domain, like roysdon.net, you may at some point want to be able to login to a webpage, receive and send email, transfer files with ftp, and even connect to your own network with a virtual private network, or vpn. You'll want to do this securely so you know no one is watching your login authentication or data that you're transmitting.
Secure Sockets Layer, or SSL, is the means to accomplish this. Then you can log in from a PC and trust that your authentication and data isn't going to be intercepted or modified on the way from the PC to the server.
In order to use SSL you need at least one SSL certificate. While you can create an SSL certificate and self-sign it, the rest of the world will not trust it, and it'll cause error messages about being untrusted.
The important step here to have the rest of the world trust your certificate is to have your SSL certificate signed by a Root Certificate Authority, or Root CA. Root CA's normally charge for this service, but you can get a CA-signed SSL certificate for free.
There are times when keyboard and video monitor access (KVM) is not always accessible or scalable. Serial port redirection to console is a way to be able to access hosts before booting the OS in Linux.
I will discuss 3 different steps that are needed to accomplish this in Linux.
So you want to make the leap on to the interwebs, I mean webtubes. You want something bigger than your FaceSpace, err, MyBook page. You know those social-thing-a-ma-bobs, right? But you don't have big enough pipes coming to your house? What do you do?
You can pay someone like Hurricane Electric $1/month to host it (or GoDaddy, GKG.net, and hundreds if not thousands of others out there). But how do you choose? Here's how:
There comes times where you need a feature not yet in the version of a Package that RedHat has released yet for Enterprise Linux (RHEL, or just EL). BIND is a perfect example of this.
RedHat still ships BIND 9.3 (with back-ported bug-fixes for security), but for full DNSSEC support you want Fedora's BIND 9.6.
My goal: don't go totally off the beaten path and compile from source from the BIND upstream, don't become a package maintainer, don't trust a non-RedHat source, but still don't want to even have to think much about any of these non-Official Packages I'm using until updates come out. Fast and proven aren't always compatible, so at least "tested" from RedHat/Fedora will work for me.
I just wanted to give a shout out to Wordpress, my blogging platform. I've used it since I switched from MovableType whenever they went to a pay model, plus I wanted a completely OSS solution that I could use commercially.
I love that I can upgrade my Wordpress version with the click of a link on my Dashboard.
In fact, it takes me longer to back up my Wordpress install than to update it, just because I need to type in my mysql password:
There are many different options to help you secure your PC. Good password protection, software protection, and network/dns protection.
There are two important things you can do to secure your computer, no matter if you run on Windows, Mac, Linux, *BSD, or whatever.
Highlevel:
When you SSH to a host/server, the host/server sends its Public Key, much the same as an SSL connection allows you to do with a web-based https connection. This allows you to encrypt data from your client and send it to the host/server which has the Private Key to decrypt it.
With SSL/https we have Certificate Authorities (CAs) that do some sort of verification and then sign SSL certs. Our web browsers (Internet Explorer, Firefox, Opera, Safari, etc.) come with a list of CA Roots. This allows us to verify without going external to our clients that a Public Key is legit, as it has been signed by a pre-trusted CA Root.
I originally posted a more simplistic overview of DNSSEC that is a good first read if you're new to the subject.
I'm going to borrow and re-work a little content I made from a future post about SSHFP but that is relevant to DNSSEC.
With SSL/https we have Certificate Authorities (CAs) that do some sort of verification and then sign SSL certs. Our web browsers (Internet Explorer, Firefox, Opera, Safari, etc.) come with a list of CA Roots. This allows us to verify without going external to our clients that a Public Key is legit, as it has been signed by a pre-trusted CA Root.
...
DNS suffers from the same MitM attack problem as anything else. However, we can sign DNS with DNSSEC and we already have trusted equivalents of CA Roots, in the form of the DLV.isc.org system, and eventually with DNSSEC signed DNS roots.
DNSSEC is not the same as CA roots, but it is close in some ways.
Moments ago this conversation took place via SMS to my Google Voice number:
(408) 642-XXXX: My bad bt wat u doen 2:47 PM
Me: Who is this? 3:16 PM
(408) 642-XXXX: Wh0 iS dIS 3:16 PM
Me: Yes, that's what I asked. Who is this? 3:17 PM
(408) 642-XXXX: N0 N0 WH0 iS dISz 3:18 PM
Dan Kaminski found one design flaw with the majority of DNS servers as well as exactly how to exploit it in a repeatable fashion. There are many other problems with DNS attacks that would be solved with DNSSEC.
Just what is DNS?
There are plenty of legitimate reasons to use encryption for emails. Some reasons for using encryption is with overseas communications to relatives or business partners, or even local communication but of a highly sensitive or confidential nature, such as network configuration files, Visio network diagrams, system passwords, etc. Perhaps you want to email your paystub PDF from your work email to your personal email, that'd be the perfect candidate for encryption.
Conficker [?] is set to start its new "upgrade" right now, starting in the GMT timezone and rolling around the world as
End users can do quick tests
