爲什麽 SMS 二次驗證並不安全的説明視頻。
Exposing The Flaw In Our Phone System – https://youtu.be/wVyu7NB7W6Y?si=vpdy_YKWUvwxwYm7
Security Bulletin 2024-07-02
a) regreSSHion, CVE-2024-6387, is an unauthenticated remote code execution in OpenSSH’s server (sshd) that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk. [link]
Debian 12 users are advised to upgrade to 1:9.2p1-2+deb12u3 immediately. [link]
b) NGINX PGP Signing Key is updated, all NGINX repository users are required to import the new keys. [link]
Publishing a tiny dns tool – dns.holywhite.com
自從之前 bgp.he.net 服務變得不穩定以來,我就一直在想自己部署一個簡單的域名 DNS 查詢工具自用。今天終於用 Svelte 和 Github Pages 簡簡單單做了個。
Recommend reading: Why Mailhardener recommends SPF softfail over fail
Just for fun: Now using BigQuery to import my credit card bills and analyze them, lol. (And the higest went to Uber Eats with no competition…)
SELECT
shop,
FORMAT_DATE('%Y-%m', date) ym,
SUM(amount) as `count`
FROM `credit_csvs.utf-8`
GROUP BY ym, shop
ORDER BY count DESC
Replacing my Python analyzing script so I can just focus on adding more complex queries for future uses.
Interesting findings that for emails sent to Proofpoint protected MX, they might get rejected if the source domain has a stronger DMARC policy, e.g. strict DKIM alignment.
It all begins with a DMARC report I received from Outlook…
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
I was then eager to find out why DKIM failed in this case, and did some tests with a domain that has its MX pointed to pphosted servers. In the end, I was able to reproduce the issue with a URL link in my email so that it will be rewritten to URL Defense link, as a result, the email body was modified, and resulted in dkim=fail (body hash did not verify).
How-to: Disable the new Chrome 2023 UI
Disable the following flags (or search 2023 on flags page for more):
chrome://flags/#chrome-refresh-2023
chrome://flags/#chrome-webui-refresh-2023
Thank you to all the contributors on the CentOS Project. And goodbye Red Hat.
CentOS has been my go-to for the past decades and what got me into the Linux world. Moving on to the next decade with Debian – https://github.com/richardevs/debian12-ansible
Next stop: ClouDNS?
With Digicert’s acquisition of DNS Made Easy (DNSME), DNSME has since hiked up their pricing for 25 zones from $75.00 to an astonishing $675 (Annual).
To be fair, existing users (legacy Business plan) only got a small bump from $75.00 to $96.00/yr, but, who knows how long that can last?
Since then I’ve been thinking about where I should migrate my DNS to after my contract with DNSME is due. I thought about building my own DNS clusters but it is just not worth it to spun up VMs around the world myself. Amazon Route 53 has been my first choice but recently I find that ClouDNS is not just a free DNS service as I always thought, they also offer Premium DNS. Duh.
So far, ClouDNS seems to tick all my boxes:
– Anycast DNS, with PoPs in Asia (Hong Kong, Taiwan, Japan)
– Low TTL value (Would love to have as low as 1s, but 60s will do, as most recursive DNS does not respect a value lower than that anyway)
– DNSSEC support (Suck it Digicert DNSME for only providing DNSSEC on their $2100/yr plan)
– Super reasonable pricing (Premium M, 75 zones for only $54.45/yr, that’s a bargain)
– White-label support (Even with an option to upgrade to dedicated IPs and PTRs for only $25/month, damn)
One worry is that I did not find any documents mentioning the DNS propagation speed for ClouDNS’ zone records.
Will definitely be evaluating that and more as soon as I reach my last contracted year with DNSME 🙂