yaleman.org

At work we run proxies for filtering malicious traffic and restricting access to unsavoury content - be it pornography or other things outside policy. For a while now we have had an issue where certain Yahoo-run systems will send continual 301 redirects until the browser gives up with an error.

It’s been really annoying to troubleshoot, as it wasn’t quite clear what would trigger it. The normal things like SSL inspection or broken cookies weren’t the cause, and it didn’t seem to be routing or anything else like that. The main time we had seen it was when a user with an iPad tried to access the Yahoo weather app and it wouldn’t work.

I bought an IKEA bed without a head when I first moved in nearly four years ago, and I finally got around to dealing with it this past weekend. The general idea was to have something that kept my head away from the wall when it was cold, and not look too ugly. Simple, right?

I started by grabbing some material from Spotlight, the local “big box” fabric store. Padding wasn’t cheap, so a cheap(ish) camping mat from BCF was purchased, and some 2.4m lengths of “non structural pine” as well. These were the cheapest part of the whole thing at $2.88 each. I already had the uprights from a previous job, being some nice-ish 2x4" pine.

RMB had been on her amazing South America trip for a few months and I wanted to see some shows in the Pop Up Globe where my friend Chantelle’s been doing some incredible work. These two things came together at the same time, so I toddled off to Auckland for a few days, then onto the cruise ship to come home via Sydney.

What a start to the trip! I misread my flight time and barely scraped into check-in by a few minutes, thankfully I’m paranoid about getting there early and had built in lee-way. Between leaving home and landing in Auckland, my iPhone decided to do a weird battery thing so I ended up with ~10% battery upon landing. That was even after plugging it in to charge through the whole flight - the weird in-seat charger kept turning it on, which didn’t help. Customs and baggage collection was a breeze, and then I tried to buy a SIM for my 3G hotspot, but tried two different company’s offerings before giving up.

Recently I was playing with date formatting in python and wrote a little script which takes a json object full of upcoming dates, then shows a count down.

Running this in the terminal is easy, but I wanted a simple way to see the information without having to do that. I could have written a macOS app to add to the UI at some point, but swift is still a mess and I’m not going to go learn ObjectiveC just for this one. I had used PIL (more specifically pillow, the working rewrite) in the past through some other work, but figured it would be handy to learn it.

I get it, I really do. Red team engagements are amazing and they’re a great way to identify problems in our environments. They’re really cool to talk about to your CEO buddies, and while you pay the bill you get to imagine a crack military-style force attacking your perimeter and attempting to breach your defences. They’re the cool thing that every security guy wants to do, because Blue’s the boring one, right?

So I kept having issues with connectivity in the docker system I run on my laptop. Couldn’t get it to pull images, build or whatever I needed to do.

$ docker build .
Sending build context to Docker daemon 13.61 MB
Step 1/9 : FROM ubuntu:latest
Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io on 192.168.88.1:53: read udp 10.0.2.15:60485->192.168.88.1:53: i/o timeout

Turns out my docker machine was a bit special - probably because I hop between different networks fairly regularly.

While messing with a Cisco ASA, I needed to pull a certificate out of the config. While trying to parse it with openssl, it wasn’t pleased with the PKCS12 format file it claims to have exported:

139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:\
   wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:\
   nested asn1 error:tasn_dec.c:381:Type=PKCS12

Even windows wouldn’t have a bar of it, which is unsurprising. Its certificate handling’s for shit anyway. I found the answer is here on StackOverflow (of course): OpenSSL cannot convert PKCS12 exported from Cisco ASA 55xx .

I was commenting on the seeming madness and complexity of our work firewall design recently:

We just drew a network diagram on the wall of just our firewalls, 12’ wide, 6’ tall… at the end, I jumped up and yelled “THE ARISTOCRATS”. Seemed required.

And someone asked “are you secure?”. Now, I could go with what we tell management - that we’re as secure as budgets allow - or a variety of other answers. This time, full objective honesty seemed to rule.

I learnt some new things today about how to deal with filenames in bash.

$ touch foo
$ ls foo*
foo
$ mv foo{,z}
$ ls foo*
fooz

Alternatively…

$ touch foo[1,2,3]
$ ls foo*
foo1 foo2 foo3
$ find . -name "foo*" -exec mv {}{,old} \;
$ ls foo*
foo1old	foo2old	foo3old

Silliness, I know. But handy when you want to rename a bunch of things, or just rename one without messing it up.

Setting up a loopback swap file is something I do fairly commonly on my virtual servers - RAM costs extra money - whereas SSD storage is common and included! Repartitioning’s too much messing around on DigitalOcean, so I set up a loopback file and it just works.

Here’s the commands to make a 2GB file (change count for different sizes):

yaleman@server:~# sudo dd if=/dev/zero of=/swap.img bs=1024 count=2097152
2097152+0 records in
2097152+0 records out
2147483648 bytes (2.1 GB) copied, 9.69851 s, 221 MB/s
yaleman@server:~# sudo chmod 0600 /swap.img
yaleman@server:~# sudo mkswap /swap.img
Setting up swapspace version 1, size = 2097148 KiB
no label, UUID=a78f6315-aba5-4d88-bb67-211f1a0c5e56

Edit the filesystem table: