Notices by kajer (kajer@infosec.exchange)

Cool, this is the preferred release.

PAN-272085
(This issue affects PAN-OS 11.1.6-h3.)
When DoH is enabled for DNS Security, multiple DoH transactions in a single HTTP/1 connection might unexpectedly cause the firewall to crash and reboot.
Workaround: Manually disable DoH support for DNS Security using the set deviceconfig setting dns-over-https enable no CLI command. Alternatively, you can remove the DNS Security configuration used to handle DoH traffic.

JFC dude

April 9 is when I told you to make access requests for the box you had me make a "DMZ" for.

This is a special network zone, everything is default-deny due to the proximity to the public internet.

TODAY is when you ask me why you dont have access? TODAY is when you link the ticket from April 9th of me saying there is no allow rules until YOU submit a request?!

FUCK

@ryanc Embrace it, get a lair, do troll things to Superman.

@ryanc @cR0w the wording of the ticket broke my brain. they want a trusted ca to give us a cert for their one ipv6 address they intend to reuse at multiple sites.

@ryanc @cR0w LOL I just re-read the ticket...

ALL servers at ALL sites will use the SAME IPv6 address, so they only need the ONE certificate.

W T A F

@ryanc @cR0w i am not going to be enabling this request by giving them a trusted cert for an ipaddress. I doubt our CA will do it, but I'm not going to ask. They don't want any type of DNS, just the internal use IP.

Hi Digicert, can I get a trusted cert for 192.168.1.1 please?

Hi Digicert, can I get a trusted cert for 2001:db8::1 please?

@ryanc @cR0w I am tempted attempt a shellshock to get this... But certificate parsing is probably secure enough to prevent this... right? RIGHT?

@ryanc @cR0w oh thats right... chrome, owning the majority browser market, gets to do what they want regardless of rules because what are you going to do about it?

@ryanc @cR0w lol @ryanc reading dcoumentation smells like a CVE in the pipeline

@ryanc @cR0w I found the same thing. I refuse out of principal. I know I work at a startup and a level of jank is involved... But damn.

@ryanc @cR0w I have seen blursed certs with entire /24s for IPv4 stuffed in the subj-alt names... I just dont want to do this... for v4 or v6

fucking use DNS for your shit

@cR0w @ryanc I'll need a cert that covers FD8C::/8 if these people fuckers I work with have anything to say about it... If I give them 1, they will want all 16 trillion 1,329,227,995,784,915,872,903,807,060,280,344,576.

Maybe there is a way to fuck with how certs are parsed like using [FD8C::/8] as a DNS name?

I don't know. That ticket will probably sit in my queue until the day I quit, and many years thereafter.

today's first ticket:

We need this RFC4193 IPv6 address to use a certificate from the company's openssl CA

You want openssl to give us a trusted cert for a non-routed IPv6 address?!

lol, what a week

@cR0w do wildcard certs apply to 192.168/16 address too? How about a wildcard for 10/8 ?

sign me up!

@cR0w I'm tempted to call on @ryanc to do stupid certificate things just for fun

@cR0w I got a free nest mini I still use as a voice announcer box for my home assistant instance. The condition of using it is neutering the microphone MEMS on the board. There were 3 microphones on the board that I cut the traces to.

The placebo switch for disabling the microphone traces directly to the CPU, so call me skeptical that it actually did anything in regards to muting the microphones

@tk I wish double DIN was still a standard. The aftermarket headunit market was insane in the late 90s

I had a thread about cloudflare having too much power the other week... Seems like it aged well. 🤦♂️

Cloudflare is a MITM provider. Companies paid for this.

@mozillaofficial right now

@elfin @feld @mkljczk EFNET is dead. I have been idle in the neg9 room for years, only ever seeing chanfix do it's thing. :(