DigiCert recently was forced to invalidate something like 50,000 of their DNS-challenge based certs because of a bug in their system, and they gave companies like mine only 24 hours to renew them before invalidating the old ones…

My employer had an EV cert for years on our primary domain. The C-suites, etc. thought it was important. Then one of our engineers who focuses on SEO demonstrated how the EV cert slowed down page loads enough that search engines like Google might take notice. Apparently EV certs trigger an additional lookup by the browser to confirm the extended validity.

Once the powers-that-be understood that the EV cert wasn’t offering any additional usefulness, and might be impacting our SEO performance (however small) they had us get rid of it and use a good old OV cert instead.

Depends on a large part how deep the water is right at the edge. The bows of the boats are largely on top of the surface. The stern of the boats sit lower in the water, and when lowered the outboard motors will sit a foot or more under the surface. It’s very possible that at low tide the prop could hit bottom when backing in…

If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.

Port 22 is the default SSH port and it receives a TON of malicious traffic any time it’s open to the whole internet. 20 years ago I saw a newly installed server with a weak root password get infected by an IP address in China less than an hour after being connected to the open internet.

With all the bots out there these days it would probably take a lot less time if we ran the same experiment again.

Depends on the content. My employers sites are a good mix of images, static, and dynamic content, and we rely heavily on Akamai. Their caching of our images offloads a huge amount of work from our origins. We also use their Image Manager tool to optimize a lot of the images seamlessly, which adds further optimization. Their WAF and other security tools are also very impressive.

She talks about it in this video.

deleted by creator

Our web servers are locked down in such a way that you can’t copy data off of them using standard protocols like scp, ftp, and even http, etc. Our firewall blocks all such outbound traffic.

This hacker found a bug in a framework used on our web servers that let him execute commands remotely. When commands to copy data off the server failed using those more typical methods he switched to a more novel (and difficult) method of leveraging DNS instead. He discovered we weren’t locking DNS down the same way we were locking other protocols down and used that as a way to extract data from our server.

I never would have thought of it but I recently saw a novel use of DNS to exfiltrate data from a compromised server.

My employer takes security very seriously. Our public facing web servers are very thoroughly locked down, or so we thought. We contract with companies like HackerOne to perform penetration testing etc. One of their white hat hackers managed a remote command attack, and copied data off of the server via a string of DNS queries.

Suppose the hacker owned the domain example.com, and he had his own authoritative nameserver for it. He just ran a series of commands that took, for example, a password file, and ran DNS queries for line1.example.com, line2.example.com, line3.example.com and so on for each line in the file. As a result the log file on his DNS server collected each line of the password file as it responded to each query.

I don’t know this material at all but enjoy the genre, so figured I would go see it. But after all the bad press it’s been getting I figure I’ll wait until I can download it.

deleted by creator

I loved the bit where he spent a small pile of that money on an Inverted Jenny postage stamp then used it to send a postcard.

Just as long as he declares it “an official act”. I think he just has to say that. It doesn’t have to be written down or anything. And it doesn’t matter if anybody actually hears him say it, as long as he does.

It’s not currently in the best interest.

IF Trump wins the election then it would be in the best interests of the US. It would be akin to a judge throwing out a juries verdict because the jury clearly made the wrong decision.

I don’t understand why Cloudflare gets bashed so much over this… EVERY CDN out there does exactly the same thing. It’s how CDN’s work. Whether it’s Akamai, AWS, Google Cloud CDN, Fastly, Microsoft Azure CDN, or some other provider, they all do the same thing. In order to operate properly they need access to unencrypted content so that they can determine how to cache it properly and serve it from those caches instead of always going back to your origin server.

My employer uses both Akamai and AWS, and we’re well aware of this fact and what it means.

I’ve heard of all sorts of issues with my fiber ISP (Verizon Fios) rolling out IPv6. It’s been years that they’ve been slowly rolling it out for testing in a few places. There’s virtually no useful documentation on their website about it. And it’s still not available where I am.

If you’re in the Boston area or nearby suburbs the all the sewage goes to the Deer Island treatment plant which eventually pumps the treated water out into the Atlantic…

My understanding is that the lava house became an attraction more than a personal home. Folks would hike in there to stay a few days, B&B style, to get married there, etc.

They did that in Hawaii decades ago when Kīlauea covered Chain of Craters road and others.

Kīlauea said “Fuck that” and covered the roads again and again, along with entire neighborhoods. The Hawaiians just let it all go back to nature now. You can drive roughly 10 miles of Chain of Craters Road now, which is in Volcanoes National Park, until it ends very much like the road in this picture.

Speaking of Kīlauea, you might be interested in reading about Jacks Lava House which survived for years as the entire neighborhood around it was reclaimed by the volcano. It was eventually reclaimed by Kīlauea as well about a decade ago.