Profile

Cover photo
Verified name
Phil Pennock
201,646 views
AboutPostsPhotos

Stream

 
Jon Stewart is a bastard: some things just can't be unseen.
1
Add a comment...

Phil Pennock

Shared publicly  - 
 
I put together some thoughts on DMARC last night; just brushed them up while actually awake and posted: http://bridge.grumpy-troll.org/2014/04/dmarc-stance/
1
Add a comment...

Phil Pennock

Shared publicly  - 
 
I fairly recently said I was stopping with CACert assurances.  Well, credit where it's due, of all the CA interactions for revocations I've dealt with this week, they've been by far the most reliable and most competent.

In large part, this is probably because they didn't defer revocations to a manual error-prone process, but automated it.  In fact, it's slightly scary that there's no confirmation step on revocation, that's how easy it is with CACert.

So it's easy, with cacert, to just add a comment to all existing certs, "pre-hb", then create new certs, then when deleting the old ones just make sure to delete the ones with the nice shiny pre-hb label.
1
Add a comment...

Phil Pennock

Shared publicly  - 
 
Amazing how many companies came out saying "we're not affected by Heartbleed, at all" early in this week, before vendors such as Cisco, VMware and F5 came out with their lists of affected product versions. Hint: if your loadbalancer is vulnerable, it doesn't matter what software you're using in your web-server.
1
1
Srini Ramakrishnan's profile photoFelipe Alfaro Solana's profile photoPhil Pennock's profile photo
5 comments
 
The lying may also be more intentional than suspected - NSA operation ORCHESTRA: Annual Status Report
Add a comment...

Phil Pennock

Shared publicly  - 
 
Wait, when did Firefox remove CRL support and enable OCSP support? OCSP without using Stapling is leaking all of your browsing activity to CAs. That's just wrong.
2
Phil Pennock's profile photoDave Cridland's profile photoPhil Stracchino's profile photo
12 comments
 
(we take pull requests to add to the data yaml file)
Add a comment...

Phil Pennock

Shared publicly  - 
 
Meep
 
This Cliven Bundy situation has a lot of conservative activists and media personalities finally showing their true colors.

Here’s a guy who doesn’t recognize the existence of the United States government. He doesn’t accept federal authority because he doesn’t think the country should exist in the first place. He says he’s in the sovereign state of Nevada, and only the county sheriff has legal authority over him. The grazing land can’t be federal because the United States of America is illegitimate.

He is, by the purest definition, anti-American. And he is the new right-wing hero.

So much for all the “proud to be American” nonsense, huh? So much for the flag pins and the yellow ribbons and “support our troops”; so much for the Founding Fathers and the Constitution and liberty and justice for all. Oh, sure, those conservatives still exist – but you wouldn’t know it from watching Fox News, or reading social media.

No, the ones we hear from think this guy is a hero. For a while, they’ve been talking about nullification of federal laws, and federal laws not applying to Hobby Lobby, and abolishing the IRS and the EPA, and the federal government having no business in their schools or telling them they can’t discriminate against minorities they don’t like. Now they’re going whole hog, signing on with a guy who just plain thinks the United States of America shouldn’t exist.

See, it’s not about the money. If Mr. Bundy were a food stamp recipient, then it would be about the money – but grazing his cattle on public land without paying, essentially stealing from all of us, doesn’t make him a “taker”. No, it’s different, because this guy, unlike the “takers”, is against the very existence of the federal government. And that’s a cause they can get behind.

They can get behind it with guns. They’re itching for a fight. They wanted the shooting to start. The shooting didn’t start, because clearer heads prevailed at the BLM; not so much with the self-styled militia. “The people have the power when they unite,” Mr. Bundy’s son Ammon told a local newspaper. “The war has just begun.”

One right-wing media personality did stand out: Glenn Beck, who characterized the Bundy supporters as “the right’s version of Occupy Wall Street”, who “don’t care what the facts are, they just want a fight.” “We need to agree on, ‘we condemn those who use violence,’” he said on his TV program. “If you think that you have been wronged by this government more than Martin Luther King and the people he marched with, you’re out of your mind.” Really? Glenn Beck is the one talking some sense?

Of course, Mr. Bundy and his militia have every right to sit there with all the guns they want and say whatever they want about the government – and I’m kind of glad they are, because now we get to see what the 21st Century right wing really stands for.
1
1
Anthony Zana's profile photoPhil Stracchino's profile photo
 
May be the first rational thing I've ever heard Glenn Beck say.
Add a comment...

Phil Pennock

Shared publicly  - 
 
Holy shit, Chrome just actually succeeded in noticing a revoked site certificate!

I've no idea if it's on the "important" list, or something else, but:

https://www.cloudflarechallenge.com/heartbleed
2
Greg A. Woods's profile photoDave Cridland's profile photo
2 comments
 
Yup, but when I tried to "select all" to paste that chrome warning elsewhere the whole damn browser crashed instantaneously.
Add a comment...

Phil Pennock

Shared publicly  - 
 
I do wish that some of the certificate authorities would stop using Heartbleed as an opportunity to pimp product and carefully claim that new certs are free replacements (while carefully not claiming that revoking the old certs is free) and would instead actually come out and tell us whether or not they've ensured that client access portals have all been fixed, so that it's actually safe to buy new certs from them.
5
Phil Pennock's profile photoBrady Catherman's profile photo
6 comments
 
I'm willing to buy fresh certs from any trusted CA vendor who can actually respond and has demonstrated that they understand revocation and can handle it, so that the next time we have a problem, we know we can rely upon them.  Revoking the current certs can follow afterwards.  Anyone have any recommendations?
Add a comment...

Phil Pennock

Shared publicly  - 
 
Grabbing https://github.com/agl/crlset-tools to be able to look at the CRLs which Google bundle into Chrome update, there are currently 22327 revoked certificates.

% ./crlset fetch > crl-set
% ./crlset dump crl-set |grep -c '^  [0-9A-Fa-f]'
1
Phil Pennock's profile photoDave Cridland's profile photo
2 comments
 
Or you just use Golang's crypto/x509.Certificate structure and let Go handle all the serialization nuttiness for you.  Go is very nice to work with and Adam's code above is a very nice example of doing so with thorough error-checking.
Add a comment...
Story
Tagline
Semi-Recovering Grumpy Troll
Introduction
We're more than any labels, or our jobs, or our passions, but I'll provide some labels which provide a glimpse.

Unix systems programmer, system administrator, Site Reliability Engineer, whatever the current in vogue term is. Think of the stereotype and you have a decent first approximation, beard and all.

ISP background, RFC-reading, protocol-loving but committees-loathing guy. Security sometimes a bit of a strength, more often than it's a weakness.

PGP Keys: 0x403043153903637F 0x7C34B4E14CE4F655

There's far far more, but it rapidly gets private (belief systems, sociological structures and more) and this is a public introduction.

The poetical fluff side says "son of Albion", yada yada.

I do have a sense of humour. It's often dry or quirky. Various expeditions have so far failed to prove the existence of this alleged sense of humour, but equally, they haven't disproven its existence, so I'm still in the game.
Bragging rights
One of the Exim maintainers. That counts, right?
Basic Information
Gender
Male