Notices by hanno (hanno@mastodon.social)

About that Fortinet thing: there are also some private keys affected. https://blog.hboeck.de/archives/908-Private-Keys-in-the-Fortigate-Leak.html

I hear Fortinet customers are having a lot of fun. Shall I repeat my rant about "cybersecurity" products from last time? If you run a Forti appliance: Will you stop doing so? Will you buy one from one of those other vendors that fucked up in recent years? Is there any situation in which you will admit that these things do more harm than good?

Es sagt ja so viel über den kaputten Stand unserer gesellschaftlichen Diskurse, dass wir gerade eine Diskussion über den Krankenstand haben, aber kein einziger Vorschlag dazu zielt darauf ab, dass Leute weniger krank werden. Ich mein, ist ja nicht so dass man da nix tun könnte. (Luftfilter, Masken, Homeoffice, leichterer Zugang zu Impfungen, ...)

Due to lack of time, there was no Q&A after my #38C3 talk, but in the chat, someone asked an interesting question. I said in the talk that Methanol is the simplest carbon-containing liquid, the person remarked that this would instead be formic acic (de: "Ameisenseure") + asked whether using formic acid instead of methanol would be interesting. The molecular difference between formic acid and methanol is that it contains one oxygen atom instead of 2 hydrogen atoms.🧵

Ach echt, es war gar keine tolle Idee, die Heidekrautbahn mit Wasserstoff (wohlgemerkt aus Erdgas) fahren zu lassen? Hätte uns nur jemand gewarnt! https://www.rbb24.de/wirtschaft/beitrag/2024/12/wasserstoff-engpass-einschraenkungen-regionalbahn-berlin-brandenburg-vbb.html

This is quite something: The BBC reports about health misinformation. One example is... a show on BBC!
I mean, I guess it's good that they critically evaluate their own reporting.

But it gets better: "A spokesperson for the BBC declined to comment."

That's quite arrogant of the BBC to decline to comment when a journalist working for the BBC asks you for a comment

https://www.bbc.com/news/articles/c4gpz163vg2o

I'm seeing lots of spam lately either from domains that have [easytoremembername].com and end up being domains for sale, or, today, a flood of [name of bank].de, which belongs to the bank, but is probably not used by them for email. All without DMARC.
I don't recommend p=reject for actually used domains, but for domains that are *unused for email*, you have no deliverability problem, you want non-deliverability for all mails with that sender.

@TimPhSchaefers then @ubernauten should fix that. Allow customers to set a "no email" option that sets dmarc to reject, SPF to -all, and mx to . (nullmx)

Dear everyone who owns domains that are *not used for e-mail*, particularly ones that are potential targets for phishing (banks, high-profile names): Could you please configure SPF+DMARC, ideally with p=reject? You may wonder: Why should I configure anything email for a host that isn't used for email? Well... it helps others to identify spam sent with your domain as the sender.

@kees @yossarian I'm confused, this tells me [[ is the bash'ism, and [ the posix thing: https://mywiki.wooledge.org/BashFAQ/031

@kees @yossarian uh, good to know. I'm pretty sure at some point I've been told (maybe by some linting tool?) that [[ is preferrable to [.

I had feared that the topic would be too obscure, but #38c3 accepted my talk. So you'll be able to hear me talk about Green Methanol, and why it may be an important technology for a climate-neutral future.

Falls Ihr in Potsdam lebt und Fahrrad fahrt: Die Stadt Potsdam wüsste gern was Ihr zur Radverkehrssituation denkt. https://besserradeln.potsdam.de/potsdam/de/home/beteiligen

If you think that Texas is an example for successful clean energy buildout, please read this https://ketanjoshi.co/2024/08/12/texas-builds-clean-power-but-it-isnt-a-climate-champion/

Their products are flawed not just because they're badly implemented - which they are - but because they are based on a stupid idea. The idea that you improve your IT security by adding more complexity. Doing the opposite is the right approach. But you can't sell that as a product. (You can still sell it, but it's not something you just plug into your network and get security magically.)

Actually, the value of Citrix rose after that: https://www.marketscreener.com/quote/stock/CITRIX-SYSTEMS-INC-4863/ These things have no consequences for these companies, it's a completely broken market. I'm reading news that crowdstrike's value dropped, I have doubts that this will be permanent.

I'm mentioning citrix specifically because it really boggles my mind how they can be still in business. In case you don't remember, there were countless gov entities, hospitals, and what not, hacked in 2020, due to a really epic fuckup by citrix. It was a flaw they knew about, and hadn't provided a fix, only an unreliable workaround that sometimes didn't work.

Honestly, if we could get that one basic message out, that if their IT security is based on more complexity, not less, that they're doing it wrong, maybe we could start putting crap companies like crowdstrike or citrix out of business.

Let's cut the bullshit and spell out a few things. The IT security industry is about as trustworthy as the food supplement and vitamin industry, but somehow they escaped the same reputation. Their products are overwhelmingly based on flawed ideas, and the quality of their software is exceptionally bad. And while not everyone will agree with the harshness of my words, I'll say this: Essentially everyone in IT security who knows anything in principle knows this.

oh.... RCE in OpenSSH doesn't happen every day. https://www.openssh.com/releasenotes.html#9.8p1