Profile

Cover photo
Jered Floyd
Works at Permabit Technology Corp.
Attended MIT
Lives in Somerville, MA
1,759 followers|71,840 views
AboutPostsPhotosVideos

Stream

Jered Floyd

Shared publicly  - 
 
LazyWeb: Have any of you ever set up common passwords between Google and something else? (In my case, Zimbra, but Windows AD would do too.) I don't want different passwords between my Zimbra mail infrastructure and my Google Apps for Non-Profits. This should be possible, but everything is a big mess of spaghetti.

I'm flexible; either Zimbra or Google can be the authoritative identity provider. Let's start with Google being authoritative.

Zimbra can check passwords against an internal LDAP server (OpenLDAP), an external LDAP server, or Kerberos. I can't find any way to get Google to expose an LDAP interface with salted hashed passwords, so that direction seems right out.

Google can use an external IdP if I have a SAML provider, and I'm sure I can get one of those that sits on top of LDAP (or SASL).... except that only works for Google Web Apps, not real applications. So, that's out.

Google provides GADS (Google Apps Directory Sync)! But, it only supports passwords that are unsalted SHA-1 or MD5 (WTF?), and I'm using SSHA512.

Google then says "check the App Marketplace ¯\(ツ)/¯" without specific pointers, and the only thing that turns up is ClearLogin, a complex identity broker that wants $3/month/user.

So, yeah. Is this just a problem that nobody has cared enough about to make simple? Why does Google not support password hashes that are considered secure in this decade? Is there a right answer?
1
Michael Safyan's profile photoJered Floyd's profile photo
5 comments
 
+Michael Safyan That totally worked; thanks. simpleSAMLphp is providing IdP to Google (authenticated against the Zimbra LDAP), and GADS is syncing user and group data into the Google Directory Service. This should be fine until one of these brittle pieces of software stops working right. :-)
Add a comment...

Jered Floyd

Shared publicly  - 
 
After years and years, why is this still the only way to delete a table in GMail? 
1
Add a comment...

Jered Floyd

Shared publicly  - 
 
Will I miss anything important if I just blacklist all IP addresses in China? My server isn't even a meaningful target, yet I have 1000s of portscan and ssh brute force attacks per day, and every since one is from China.... I'm not concerned about any of them being successful but this is just insane!
1
Ry S-H's profile photoJered Floyd's profile photoTracy Hall's profile photo
4 comments
 
er... actually, looks like FB decided to spellchuck "with" to "without" - the databases are a combination of as much coverage of China ISP's (and N. and S. Korea, as well) as possible, plus a database of "honeypot" hits - on a crappy-ass register.com shared server, adds about 100ms latency.  Cut the annoying (and mostly completely ineffective) hits to our ecommerce by about 98% or better.  *most* of the hits from china were either very stupid or very low level - I speculate probes to catalog vulnerable sites.
Add a comment...

Jered Floyd

Shared publicly  - 
 
Anyone else here use BuddyNS for secondary service? They seem to be processing AXFRs but not propagating to their network and it's causing serious operational issues for me. I have a paid acct but there's no response from support@... I think it's two guys and no pager. Any ideas?
1
Add a comment...

Jered Floyd

Shared publicly  - 
 
I appreciate that Google recognizes when it's made a mistake: http://googleblog.blogspot.com/2015/07/everything-in-its-right-place.html

Does this mean we get Reader back next? Please?
4
J B Tait's profile photoJered Floyd's profile photoElliot Schwartz's profile photoDoctor Memory's profile photo
5 comments
 
For the record I like Newsblur well enough as a reader replacement, but it's a one-man shop and to put it mildly does not have google-style uptime. :)
Add a comment...

Jered Floyd

Shared publicly  - 
 
Googlers: How limited is Google Takeout?  I was trying to grab individual labels from a GMail account and after three it just says "Oops, something went wrong!"

"Sorry, you are trying to create too many archives. Please try again later. [Help Center]"

The Help Center, like all Google documentation, is absolutely and completely useless -- not even mentioning this case at all.  (Like, seriously, I think all google "Help" links should just result in a pop-up in 96 point type saying "FUCK YOU!" -- that's about how helpful they are.)
1
Matthew Gray's profile photoJered Floyd's profile photoRic Lebrecht's profile photo
3 comments
 
Why on earth is there a limitation?
Add a comment...
Have him in circles
1,759 people
Seethu Natarajan's profile photo
nj Tare's profile photo
Mimi Ferreira's profile photo
Ryan Nicholson's profile photo
wang jl's profile photo
Stu Hutson's profile photo
Michael Starynkevitch's profile photo
Aaron Fujii's profile photo
Peter Lord's profile photo

Jered Floyd

Shared publicly  - 
 
Has anyone noticed United Wi-Fi selectively blocking only secure connections?

Several times during my current flight, I've had extended periods of time where I can connect to origin servers on port 80 (and retrieve unique URLs so I know it's not a local cache), but not on 443 (or 22, for that matter.) Some sites (cnn.com, google.com) always work, but others (gmail.com, my personal servers) cannot establish connections for secure services, but insecure ones work just fine.

I'm not sure what conspiracy theory I should be generating around this, but it's very frustrating!
1
Add a comment...

Jered Floyd

Shared publicly  - 
 
Anyone here have experience debugging ISC bind? (Also, why do we use this awful software?)

My main name server is returning SERVFAIL for some queries, intermittently. One that seems to be consistent is trying to get the address for the MX for oddnoise.com. If I restart bind I can either query the MX, or query the A record for mail.oddnoise.com, but once I've done one the other will not succeed until I restart bind.

I increased logging, and just see, for example:
query failed (SERVFAIL) for oddnoise.com/IN/MX at query.c:7002

I made the mistake of staring into the abyss that is bin/named/query.c. The function "query_find" is 1907 lines long! And line 7002?

default:
/* * Something has gone wrong.
*/
QUERY_ERROR(DNS_R_SERVFAIL);
goto cleanup;

I can't make this shit up. A 2000 line main function and "something has gone wrong". I weep for humanity.

But, anyway, ideas on how to fix?
1
Seph Aliquo's profile photoDoctor Memory's profile photoJered Floyd's profile photo
6 comments
 
The super-annoying thing here is that it works the first time because when you do a query against the working glue record you get back additional records that contain working data (that is used to answer the query at hand successfully), but it appears those don't get cached but the busted authority record does, which means subsequent queries fail. Fail. Fail fail fail. 
Add a comment...

Jered Floyd

Shared publicly  - 
 
On one hand, open source software is great because you can fix your own bugs.

On the other hand, I just spent the last four hours figuring out, fixing, and submitting a patch for a bug that was introduced in 2012 into the expletive pile that is cyrus-sasl2.

If most security and authentication software is like cyrus-sasl2, we are all doomed.
2
Jered Floyd's profile photo
 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815208 if you care. If you're getting 0 back from read() then it's not a good idea to keep looping for more data.
Add a comment...

Jered Floyd

Shared publicly  - 
 
How do I make the main feed (or whatever it's called) in G+ wider? Before the redesign it was only using about half the horizontal space in my browser. With the NEW IMPROVED! G+ now it's using about one quarter. I get about 5 words per line....
1
Doctor Memory's profile photoJered Floyd's profile photoGreg S's profile photo
9 comments
Greg S
 
I just measured and I see the text being almost exactly the same width in the old and new format. Both comically narrow given the size of the window but no significant change.

Really I don't see any functional changes. Just another in the merry-go-around of pointless UI revamps. Still no way to filter or hide sources of posts which has made Facebook nearly tolerable. The only reason G+ is at all readable is that the signal/noise ratio is still relatively high but it's rapidly becoming lower and looks like it'll soon be all reshares and social junk.
Add a comment...

Jered Floyd

Shared publicly  - 
 
Help! I'm getting a shakedown by Barracuda Networks.  They seem to be getting out of the "anti-spam" and into the "protection racket" business.

Recipients have been getting bounce-unsubscribed a community mailing list that I administer.  The most recent bounces say that this "blocked using Barracuda Reputation;  http://www.barracudanetworks.com/reputation/"

Visiting that page provides no information on the specific reason my MTA has been blocked so I can't determine if there is a configuration issue, and has a link for one-time removal.

Below that it says "One way to get your email through spam filters even if you are listed on the BRBL is to register your domain and IPs at EmailReg.org." OK, sounds good, I can prove that my IP address is allowed to send for my domains -- I thought that was what SPF and DKIM were for (which are configured) but whatever.

However, I click through to emailreg.org and AFTER signing up for an account and configuring it they then reveal that there is a $20 "administrative fee" per domain.

This should be criminal, but I'm sure it isn't.  Does anyone have a solution for the Barracuda Networks Protection Racket?
3
Nathan Barwell's profile photoMary-Anne Wolf's profile photo
2 comments
 
Did you look up your reputation here http://www.barracudacentral.org/reputation and did it say anything useful?
Add a comment...

Jered Floyd

Shared publicly  - 
 
Huh.  "Collections" are what I wanted when this whole G+ started nearly 4 years ago.  I fear it may be too late for here now, but I hope that Facebook copies it...
1
Add a comment...
People
Have him in circles
1,759 people
Seethu Natarajan's profile photo
nj Tare's profile photo
Mimi Ferreira's profile photo
Ryan Nicholson's profile photo
wang jl's profile photo
Stu Hutson's profile photo
Michael Starynkevitch's profile photo
Aaron Fujii's profile photo
Peter Lord's profile photo
Collections Jered is following
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Somerville, MA
Work
Occupation
CTO
Employment
  • Permabit Technology Corp.
    CTO, present
Education
  • MIT
Basic Information
Gender
Male