Profile cover photo
Profile photo
Jered Floyd
1,742 followers
1,742 followers
About
Jered's interests
View all
Jered's posts

LazyWeb: Have any of you ever set up common passwords between Google and something else? (In my case, Zimbra, but Windows AD would do too.) I don't want different passwords between my Zimbra mail infrastructure and my Google Apps for Non-Profits. This should be possible, but everything is a big mess of spaghetti.

I'm flexible; either Zimbra or Google can be the authoritative identity provider. Let's start with Google being authoritative.

Zimbra can check passwords against an internal LDAP server (OpenLDAP), an external LDAP server, or Kerberos. I can't find any way to get Google to expose an LDAP interface with salted hashed passwords, so that direction seems right out.

Google can use an external IdP if I have a SAML provider, and I'm sure I can get one of those that sits on top of LDAP (or SASL).... except that only works for Google Web Apps, not real applications. So, that's out.

Google provides GADS (Google Apps Directory Sync)! But, it only supports passwords that are unsalted SHA-1 or MD5 (WTF?), and I'm using SSHA512.

Google then says "check the App Marketplace ¯\(ツ)/¯" without specific pointers, and the only thing that turns up is ClearLogin, a complex identity broker that wants $3/month/user.

So, yeah. Is this just a problem that nobody has cared enough about to make simple? Why does Google not support password hashes that are considered secure in this decade? Is there a right answer?

Has anyone noticed United Wi-Fi selectively blocking only secure connections?

Several times during my current flight, I've had extended periods of time where I can connect to origin servers on port 80 (and retrieve unique URLs so I know it's not a local cache), but not on 443 (or 22, for that matter.) Some sites (cnn.com, google.com) always work, but others (gmail.com, my personal servers) cannot establish connections for secure services, but insecure ones work just fine.

I'm not sure what conspiracy theory I should be generating around this, but it's very frustrating!

Post has attachment
After years and years, why is this still the only way to delete a table in GMail? 

Anyone here have experience debugging ISC bind? (Also, why do we use this awful software?)

My main name server is returning SERVFAIL for some queries, intermittently. One that seems to be consistent is trying to get the address for the MX for oddnoise.com. If I restart bind I can either query the MX, or query the A record for mail.oddnoise.com, but once I've done one the other will not succeed until I restart bind.

I increased logging, and just see, for example:
query failed (SERVFAIL) for oddnoise.com/IN/MX at query.c:7002

I made the mistake of staring into the abyss that is bin/named/query.c. The function "query_find" is 1907 lines long! And line 7002?

default:
/* * Something has gone wrong.
*/
QUERY_ERROR(DNS_R_SERVFAIL);
goto cleanup;

I can't make this shit up. A 2000 line main function and "something has gone wrong". I weep for humanity.

But, anyway, ideas on how to fix?

Will I miss anything important if I just blacklist all IP addresses in China? My server isn't even a meaningful target, yet I have 1000s of portscan and ssh brute force attacks per day, and every since one is from China.... I'm not concerned about any of them being successful but this is just insane!

On one hand, open source software is great because you can fix your own bugs.

On the other hand, I just spent the last four hours figuring out, fixing, and submitting a patch for a bug that was introduced in 2012 into the expletive pile that is cyrus-sasl2.

If most security and authentication software is like cyrus-sasl2, we are all doomed.

Anyone else here use BuddyNS for secondary service? They seem to be processing AXFRs but not propagating to their network and it's causing serious operational issues for me. I have a paid acct but there's no response from support@... I think it's two guys and no pager. Any ideas?

How do I make the main feed (or whatever it's called) in G+ wider? Before the redesign it was only using about half the horizontal space in my browser. With the NEW IMPROVED! G+ now it's using about one quarter. I get about 5 words per line....

Post has attachment
I appreciate that Google recognizes when it's made a mistake: http://googleblog.blogspot.com/2015/07/everything-in-its-right-place.html

Does this mean we get Reader back next? Please?

Help! I'm getting a shakedown by Barracuda Networks.  They seem to be getting out of the "anti-spam" and into the "protection racket" business.

Recipients have been getting bounce-unsubscribed a community mailing list that I administer.  The most recent bounces say that this "blocked using Barracuda Reputation;  http://www.barracudanetworks.com/reputation/"

Visiting that page provides no information on the specific reason my MTA has been blocked so I can't determine if there is a configuration issue, and has a link for one-time removal.

Below that it says "One way to get your email through spam filters even if you are listed on the BRBL is to register your domain and IPs at EmailReg.org." OK, sounds good, I can prove that my IP address is allowed to send for my domains -- I thought that was what SPF and DKIM were for (which are configured) but whatever.

However, I click through to emailreg.org and AFTER signing up for an account and configuring it they then reveal that there is a $20 "administrative fee" per domain.

This should be criminal, but I'm sure it isn't.  Does anyone have a solution for the Barracuda Networks Protection Racket?
Wait while more posts are being loaded