Author Archives: wp-roland

Corona App of Deutsche Telekom lacks SSL security

Be careful with what kind of app you are installing in these days. Especially Corona apps are supposed to be on the market as soon as possible (like yesterday), but this might come at the cost of reliability and security.

The Corona App of Deutsche Telekom uses insecure SSL encryption to communicate to cloud servers. While the app itself is functioning and useful, personal health data should be handled in a more secure way.

https://www.heise.de/ct/artikel/c-t-deckt-auf-Corona-App-der-Telekom-ist-katastrophal-unsicher-4694222.html?wt_mc=nl.red.security.security-nl.2020-04-02.link.link

Share

Coronavirus: The Age of the Internet

Right now on the Internet you read a lot about staying at home and washing your hands thoroughly to prevent further spread of the virus.

But way more important is what you don't read. I stumbled across the following online news article of the Jerusalem Post. Looks legit to me. Nevertheless I haven't read anything about those Israeli scientists anywhere else.

Neither denying nor confirming news articles like these is probably the worst thing officials in other countries can do. It ultimately leads to disorientation and panic.

Lessons learned: Today we already live in the age of the internet. But while infrastructure and communication services might be functioning pretty good, we still need to learn how to communicate effectively, and distribute the right news and information at the right time.

You better stick to your promises:
Israeli scientists: 'In a few weeks, we will have coronavirus vaccine' (MARCH 15, 2020)

https://www.jpost.com/HEALTH-SCIENCE/Israeli-scientists-In-three-weeks-we-will-have-coronavirus-vaccine-619101?fbclid=IwAR0kzurRC_hrK1AA3BWGZ8G-TYd91YhM7LhbeoYLQUZz7oGqBepgHFk8Yq4

Share

NetworkManager in Ubuntu 19.10 and 20.04 not working

NetworkManager in Ubuntu 19.10 und 20.04 is disabled by default, except for WiFi connections. If you experience any problems with ethernet connections or vlans (including a vlan that might be configured by netplan but doesn't get activated), check out the configuration file 10-globally-managed-devices.conf.

/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf:

[keyfile]
unmanaged-devices=*,except:type:wifi,except:type:gsm,except:type:cdma

As you can see, all devices are declared unmanaged by default, except for wifi, gsm and cdma devices. Move the file to /etc/NetworkManager/conf.d and change it to:

[keyfile]
unmanaged-devices=*,except:type:wifi,except:type:gsm,except:type:cdma,except:type:wwan,except:type:ethernet,except:type:vlan

Restart NetworkManager.

sudo systemctl restart network-manager
Share

Free Julian Assange

https://www.change.org/p/free-julian-assange-before-it-s-too-late-stop-usa-extradition

My personal prediction:
It is pretty obvious that the US government has no special interest in an early conviction. They just want to hunt Julian Assange down and torture him for the rest of his life. And there sure are plenty of mentally deranged psychos on the CIA payroll who are more than willing to and take great delight in skillfully exercising this task.

If he is found guilty, a lot of people will accuse the US government of disregarding the freedom of press.

If he is not or only partially found guilty, the US government might be considered weak and send a wrong signal to all future whistleblowers.

So why would the US government be in a hurry for a fair trial that the whole world will be watching closely? Slowly cook him to death surely is the more gruesome alternative.

Share

First Deepfake Face Swap Movie

Georges Melies was one of the first creators of special effects in early silent movies. In "A Trip to the Moon" (1902) he projected his own face on the surface of the moon.

While the image quality is not comparable to modern movies, the effects are still amazing considering they were created almost 120 years ago, without the help of any computers!

Share

Chelsea Manning is being tortured

A top United Nations official just condemned the continuing imprisonment of Chelsea Manning as torture and called for her immediate release.

https://www.theguardian.com/us-news/2019/dec/31/chelsea-manning-us-torture-un-official-wikileaks?link_id=3&can_id=9789abc639a66414f4adc2d0eb5989b5&source=email-chelsea-manning-is-being-tortured-2&email_referrer=email_694687&email_subject=chelsea-manning-is-being-tortured

Sign the petition: tell the government to stop torturing Chelsea Manning and set her free.

Chelsea Manning already gave an extensive statement in her 2013 trial and was sentenced to 35 years in prison. After 7 years in prison and 2 suicide attempts she was released in 2017 being commuted by President Obama himself ("Justice has been served."). This case is history.

Share

Evolution of Managed Network Services

Network

... or how to get rid of monolithic service architectures.

1991 - CORBA
A distributed management framework for network services. The father of it all. First on Uni* systems, later on other operating systems as well.

Pros:
- Not monolithic as everything before.
- The "O" stands for "Object", so it must be totally awesome.

1996 - DCOM
A distributed management framework for network services. The Microsoft way. Back in the days Microsoft reinvented everything to set new standards and own them.

Pros:
- Not monolithic as everything before.
- The "O" stands for "Object", so it must be totally awesome.

1997 - Java JNDI and RMI
A distributed management framework for network services. Along came the bytecode revolution with Java, and yes, of course Java wanted to do it the Java way.

Pros:
- Not monolithic as everything before.
- It's Java, so it must be totally awesome.

1999 - Java JNDI and EJB
A distributed management framework for network services. Way cooler than RMI.

Pros:
- Not monolithic as everything before.
- Even more object-oriented, so it must be totally awesome.

1999 - Java JNDI and Tomcat
A distributed management framework for network services. Way cooler than EJB.

Pros:
- Not monolithic as everything before.
- Everyone is using it, so it must be totally awesome.

2003 - SOAP
Distributed network services. Can be used by other programming languages than Java. In case there are any. Lacks service discovery, as e.g. CORBA already provided out of the box more than 20 years ago. So you need an additional layer called ESB.

Pros:
- Not monolithic as everything before.
- The "O" stands for "Object", so it must be totally awesome.

201? - REST
Distributed network services. Advancement of SOAP.

Pros:
- Almost the same as SOAP, just a bit smaller.

2015 - Cloud Microservices
A distributed management framework for network services. Based on REST. Lacks service discovery though, as e.g. CORBA already provided out of the box more than 20 years ago. So you need an additional layer called service mesh.

Pros:
- Not monolithic as everything before.
- It has the word "Cloud" in it, so it must be totally awesome.

202? - ...
Not sure what it will be called, but sure as hell it will be a distributed management framework for network services. And it will be way hotter than everything before, because it will not be monolithic.

Share

Criswell Predicts ... IT in 2020

It Predictions

As new year is approaching, there are - inevitably as every year - predictions about what's coming up in IT in the next year.

Unfortunately everything I have read so far is bleeding obvious: Moving to the cloud, AI will be used everywhere, and Python is becoming the most dominant programming language. Without merely continuing the trends from 2019, here are my wild predictions for 2020:

  • With yet another devastating side channel security breach in Intel and AMD processors, all major cloud providers are moving their server hardware to ARM processors.
  • An unnamed whistle blower reveals that the NSA is using quantum computers and AI to profile every single citizen in the world in real-time. Data is retrieved from decrypted TLS connections by quantum computers, and numerous microsatellites orbiting the earth.
  • Chinese smartphones running their own Chinese Open Source operating system are becoming the defacto standard for secure and affordable mobile devices.
  • Large companies like Apple, Google and Microsoft are launching their own space missions to mine natural resources on moon and mars.
  • Large companies like Apple, Google and Facebook begin to span their own microsatellite networks to provide mobile phone and internet services around the globe. National telecommunication companies become obsolete.
  • Deep fake videos are banned by all major industrial countries around the globe. Social media platforms are legally obliged to detect and delete deep fake videos.
  • In a rather controversial press conference Microsoft announces it will discontinue Outlook as an installable email program and urges Windows users to migrate to the corresponding cloud service Office365. Users will have to pay a monthly fee for using Outlook email services. Alternatively Microsoft recommends Mozilla's Thunderbird as an installable email client on local Windows computers.

Share

Let's Encrypt Certificate for SMTP with STARTTLS

TLS Encryption

Let's Encrypt provides an easy way to get free certificates not only for web servers, but also for email servers like Postfix.

The way Let's Encrypt usually works requires you to setup a web server. Let's Encrypt sends you a challenge, and you have to prove ownership of the domain by providing a response to that challenge. You do this by placing the response in a certain URL on your web server:
http://www.yourserver.com/.well-known/acme-challenge/FgedPYS65N3HfwmM7IWY2...

That way you prove that you are the owner of the domain "yourserver.com". But there is another even easier way to prove ownership of a domain: DNS. You place the response in a specific TXT record of your domain: _acme-challenge.www.yourserver.com

  • You can use your domain hosting service (GoDaddy, Whois, etc.) to create a new TXT record.
  • The "certbot" command line client does all the rest in just one call.
  • Under Debian 9 and 10, "certbot" is part of the official package repository.
  • You can run certbot on any Linux client. You don't have to run it on the email server.

Example

In this example the public hostname of your mail server is mx.yourserver.com. Therefore you have to create a TXT record called _acme-challenge.mx.yourserver.com . The value of the TXT record is in the output of certbot.

# certbot certonly --manual --preferred-challenges dns -d mx.yourserver.com
 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator manual, Installer None 
Obtaining a new certificate 
Performing the following challenges: 
dns-01 challenge for mx.yourserver.com 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
NOTE: The IP of this machine will be publicly logged as having requested this 
certificate. If you're running certbot in manual mode on a machine that is not 
your server, please ensure you're okay with that. 
 
Are you OK with your IP being logged? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please deploy a DNS TXT record under the name 
_acme-challenge.mx.yourserver.com with the following value: 
 
1A4RACHEISTBLUTWURST_egTVadkeiieikeieisfkfk
 
Before continuing, verify the record is deployed. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Press Enter to Continue 
Waiting for verification... 
Cleaning up challenges 
 
IMPORTANT NOTES: 
 - Congratulations! Your certificate and chain have been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/fullchain.pem 
   Your key file has been saved at: 
   /etc/letsencrypt/live/mx.yourdomain.com/privkey.pem 
   Your cert will expire on 2020-02-15. To obtain a new or tweaked 
   version of this certificate in the future, simply run certbot 
   again. To non-interactively renew *all* of your certificates, run 
   "certbot renew" 
 - If you like Certbot, please consider supporting our work by: 
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate 
   Donating to EFF:                    https://eff.org/donate-le
Share

Christmas Time is Shopping Time ... Sort of

Christmas is coming early this year, so I wanted to browse the Internet to see what kind of extra effort our local retail industry is expending. Out of curiosity I chose the largest, most famous shopping street in the Capital of Germany: Berlin's Kurfürstendamm. And located in that street, there is Berlin's most famous shopping mall: Europa-Center - the name says it all.

My expectation: Pretty Javascript snowflakes slowly falling down on heaps of shopping bargains, indoor maps, rotating 3D product pictures ... you know the usual Christmas websites.

Reality: A phpMyAdmin login page with an invalid TLS certificate.

Words can barely describe my level of incomprehension how this can possibly happen. Either the retail industry has already given up the fight against Chinese Ebay sellers, or they just don't believe in online marketing. Either way, I will spend my holiday shopping season online.

P.S.: What is so hard about indoor floor plans? Interactive HTML5 3D animations would be nice though.

P.P.S: Please ignore the red DNSSEC sign, it is supposed to ... ah, just forget about it.

Share