WTF Bites
-
@Tsaukpaetra Sure, but that's such an edge case that nobody making the software thought to bother to account for it.
-
@Tsaukpaetra Sure, but that's such an edge case that nobody making the software thought to bother to account for it.
Clearly not. After all, this isn't a large company and they likely don't have anyone to test things like "What if we have this installed and used for more than a year?".
I could excuse the certificate expiry if there was an easy "Oh yeah, you're still using the default. Wanna just refresh that, or do you want to set up a proper setup for that? [Just renew] [Show me the guide]" alert.
I would excuse it if the management software allowed you to explicitly disable https, even for temporary troubleshooting purposes.
I would excuse it if there was a "Allow me to patch into the network as a privileged and ungated user for the purposes of troubleshooting" option.
Nothing besides the perfect happy path was accounted for, and that's not acceptable in a paid service, in my opinion.
-
Status: In other news, on another system, it is apparently not possible to specify DNS servers to use in the UI...
Wonder if there's a system update that fixes that...
-
@Tsaukpaetra said in WTF Bites:
Nothing besides the perfect happy path was accounted for, and that's not acceptable in a paid service, in my opinion.
OK, that's not great for
:newand:hereis weirder still.
-
@Tsaukpaetra said in WTF Bites:
Can I just take a moment and reflect on the retardedness of requiring HTTPS inside a VPN?
There's "trusted" and then there's trusted. For reference, we have to allow students inside our network (and yes, they can use a VPN to access our teaching resources from home) and I wouldn't trust them very far at all. After all, I remember what I was like as a student...
No one taught me the address of the DNS server does not go on the static IP assignment. I learned that all by myself!
Once I learned that lesson, I solved everyone's internet problems and they did not even realize it.
-
AMD's EPYC Rome Chips Crash After 1,044 Days of Uptime
A clock timer bug brings second-gen EPYCs to a halt.
-
@Applied-Mediocrity said in WTF Bites:
AMD's EPYC Rome Chips Crash After 1,044 Days of Uptime
A clock timer bug brings second-gen EPYCs to a halt.
an interesting new bug (errata)
I registered specifically to
about this 
-
@HardwareGeek would tell you that hardware companies always refer to bugs as errata, even if there's just a single one. Fortunately for grammar, there's almost never just a single one.
-
@Zerosquare said in WTF Bites:
@HardwareGeek would tell you that hardware companies always refer to bugs as errata, even if there's just a single one. Fortunately for grammar, there's almost never just a single one.
Well, people also refer to indexes or vortexes or such nonsense. I also frequently see âa criteriaâ.
I weep silently.
-
@topspin don't forget data. Just one data.
-
@Zerosquare said in WTF Bites:
@HardwareGeek would tell you that hardware companies always refer to bugs as errata, even if there's just a single one. Fortunately for grammar, there's almost never just a single one.
No doubt they do, but I suppose @HardwareGeek in particular wouldn't say they're right.
-
-
-
@Tsaukpaetra said in WTF Bites:
Status: Can I just take a moment and reflect on the retardedness of requiring HTTPS inside a VPN?
System offline: failed to WebSocket dial: failed to send handshake request: Get "https://172.28.0.12:443/websocket": x509: certificate has expired or is not yet valid: current time 2023-06-03T06:30:41Z is after 2023-03-10T23:28:16ZWhat✠A certificate for an IP?
? 
Not even a https://172.28.0.12.nip.io/websocketmagic domain?While the X.509 format does allow it, not all tools accept it. Though the main purpose of the
nip.iomagic domain is that some things assume virtual hostsâyou can use things likeanything.172.28.0.12.nip.ioandany.thing.172-28-0-12.nip.ioto get vhosts on a test server without having to set up your own DNS.
-
@Tsaukpaetra said in WTF Bites:
I comprehend the benefits of validating a connection and all that. But come on! It was already a self-signed cert, just let me force it through!
And that was never supported in the first place.
And on that note, apparently this is because the self-signed cert is generated at install and only lasts one year,
Well, I suppose they generate a self-signed certificate for testing purposes, but assume you'll install a proper certificate before you let users anywhere close to it.
but in order to renew it you have to rigmarole through the openssl prompts (but in GUI form!) to create a CA and then a signing request, and finally a certificate, whereupon you need to then go elsewhere to actually assign that certificate and finally reload the interface.
Now either you or the software is not making much sense. The normal procedure is that the server spits out a CSR, to do which it basically only needs to ask you all its names (and possibly the other identification data, though the CA can override them if needed anyway), and you get that signed elsewhere. And any organization already needs to have an internal CA these days, and if it uses Microsoft Active Directory, it also does have one right there.
But if the software is asking you to set up it's own CA, then
is it doing and does it need to ask you stuff, because it probably shouldn't be.⊠or you mean it's just the documentation telling you what to do including setting up your CA? Well, let's call it a docudementation then.
-
@Tsaukpaetra said in WTF Bites:
Status: Can I just take a moment and reflect on the retardedness of requiring HTTPS inside a VPN?
System offline: failed to WebSocket dial: failed to send handshake request: Get "https://172.28.0.12:443/websocket": x509: certificate has expired or is not yet valid: current time 2023-06-03T06:30:41Z is after 2023-03-10T23:28:16ZWhat✠A certificate for an IP?
? Not even a https://172.28.0.12.nip.io/websocketmagic domain?While the X.509 format does allow it, not all tools accept it. Though the main purpose of the
nip.iomagic domain is that some things assume virtual hostsâyou can use things likeanything.172.28.0.12.nip.ioandany.thing.172-28-0-12.nip.ioto get vhosts on a test server without having to set up your own DNS.I managed to generate a certificate that had it. Now it's complaining that it's not from a trusted authority.
One would think that would be more important than "it seems you're not talking about yourself" but I suppose that's more difficult to check or something.
-
@Tsaukpaetra said in WTF Bites:
And on that note, apparently this is because the self-signed cert is generated at install and only lasts one year,
Well, I suppose they generate a self-signed certificate for testing purposes, but assume you'll install a proper certificate before you let users anywhere close to it.
This is the default configuration, not testing. Using https is completely optional, unless you're using the centralized management solution, which does not mention you the end user will probably need to fuck with certificates.
but in order to renew it you have to rigmarole through the openssl prompts (but in GUI form!) to create a CA and then a signing request, and finally a certificate, whereupon you need to then go elsewhere to actually assign that certificate and finally reload the interface.
Now either you or the software is not making much sense. The normal procedure is that the server spits out a CSR, to do which it basically only needs to ask you all its names (and possibly the other identification data, though the CA can override them if needed anyway), and you get that signed elsewhere. And any organization already needs to have an internal CA these days, and if it uses Microsoft Active Directory, it also does have one right there.
But if the software is asking you to set up it's own CA, then
is it doing and does it need to ask you stuff, because it probably shouldn't be.⊠or you mean it's just the documentation telling you what to do including setting up your CA? Well, let's call it a docudementation then.
If you know where and how to make your own certificates, technically you can just import them. But that still assumes you fill out all the information by hand somewhere else, there is no csr auto-generation.
If you choose to make a csr you will inevitably need to fill out a shit tonne of information.
I'll admit I forgot Active Directory has its own CA stuff, might try that later. But I will still need to figure out how to teach the central management piece to accept the AD authority.
I'm probably doing something wrong, but for fuck's sake none of this should even be necessary!
-
@Tsaukpaetra said in WTF Bites:
If you choose to make a csr you will inevitably need to fill out a shit tonne of information.
It depends entirely on the policy of the CA you send the CSR to. If they'll sign a CSR with almost no info in it (possibly because they're you... with another hat on) then that is exactly what you need to provide.
-
@Tsaukpaetra said in WTF Bites:
If you choose to make a csr you will inevitably need to fill out a shit tonne of information.
It depends entirely on the policy of the CA you send the CSR to. If they'll sign a CSR with almost no info in it (possibly because they're you... with another hat on) then that is exactly what you need to provide.
The stupid thing won't let me continue without providing seven pieces of garbage, I have no choice. I would absolutely try to make a CSR with just a list of SANs, but no I gotta give a type, what kind of curve, how big, what shape of brain, what country of origin, where did I provide it, how close it is, who wants it, who should be emailed about it, what it wants to be used for, what other more different things it wants to be used for, and what language it should be spoken about in.
-
@Tsaukpaetra said in WTF Bites:
If you know where and how to make your own certificates, technically you can just import them.
You are supposed to generate the CSR on the target and have that signed somewhere. For public servers, just install cert-manager (k8s) or dehydrated (linux) or somesuch.
But that still assumes you fill out all the information by hand somewhere else, there is no csr auto-generation.
I've set up a couple of company sites already that run https and filled exactly no information. cert-manager sniffs the ingress record, does the validation dance and installs good enough certificate that only has the CN and the SANs and is signed by letsencrypt with no human interaction at all and everything and everybody's happy.
Unfortunately the domain controller isn't as good.
If you choose to make a csr you will inevitably need to fill out a shit tonne of information.
No, not really. You only need to provide the hostname the certificate is for (and set the expiration period to something sensible). Nobody actually cares about the other information.
I'll admit I forgot Active Directory has its own CA stuff, might try that later. But I will still need to figure out how to teach the central management piece to accept the AD authority.
All computers joined into the domain should automatically get that CA injected into their system trust store. So unless it's in Java, chances are good it just will.
I'm probably doing something wrong, but for fuck's sake none of this should even be necessary!
Internal malicious actors are bigger threat than external ones for most companies, so companies are learning to encrypt internal communication too. And once they learn it, they just encrypt everything, because it's just the same old thing again and it's easier than think which connections are sensitive and which are not. Most are anyway. The standards like ISO27001 and TISAX that companies now often demand from their contractors also require that.
What it should be is a nibble simpler. It would be nice if the active directory controller added the ACME protocol, so you could just point any server that is not visible from the outside to your internal ACME endpoint and called it a fortnight like you do with public-facing servers and the public Letsencrypt server. But it's not that much harder with the web interface exposed on the controller once you learn it.
-
@Tsaukpaetra said in WTF Bites:
type, what kind of curve, how big
2048-bit RSA is the sensible default that everybody uses.
If anybody knows, and could explain to me, the difference between the available elliptic curves and which ones I can actually use for server certificates, I'd appreciate it, but last time I looked the constraints just made no sense to me while RSA is usable for everything, so I just decided to keep going with RSA until I come across a clear recommendation for something elseâunlike ssh where I've been using ed25519 for a long time unless not supported, which it still often isn't anyway.
-
For public servers, just install cert-manager (k8s) or dehydrated (linux) or somesuch.
Not a public server. đ And if you're exposing the admin interface of your NAS to the public internet, I have a loosely-phallic-shaped object you can interact with.
everybody's happy
Except it's not public and should totally not be sniffable.
No, not really. You only need to provide the hostname the certificate is for (and set the expiration period to something sensible). Nobody actually cares about the other information.
Then why is it MANDATORY to be provided? GIGO.
What it should be is a nibble simpler. It would be nice if the active directory controller added the ACME protocol, so you could just point any server that is not visible from the outside to your internal ACME endpoint and called it a fortnight like you do with public-facing servers and the public Letsencrypt server.
I was considering making a feature request for this, since it has AD connectivity and does other certificate-things to connect (though probably only incidentally as part of what the samba software does internally) so you'd think it would be possible to automate. Sadly
But it's not that much harder with the web interface exposed on the controller once you learn it.
Yeah the controller is very much alpha software as far as I'm concerned. It would be fantastic if their auto-join procedure were to make a certificate for the joining device for use in encrypting the connection---wait, it already does by virtue of being on the VPN. Too bad it's too stupid to realize this.
I suppose if someone were to social engineer their way to take over a static IP (I'm fairly certain the client credentials generated won't let you use any other ones than the server gave it) it might be a concern, but there's bigger problems at that point, especially since the connection cannot be used for data transfer in and of itself...
-
@Tsaukpaetra said in WTF Bites:
Except it's not public and should totally not be sniffable.
Not being public does not mean much. Unfortunately these days most people tend to use Wi-Fi (the company I'm currently contracting for does not even have wired network set up, and while my company does, I can't connect the client's notebook to it, only to the Wi-Fi) and Wi-Fi can be sniffed.
Yeah, you have the additional layer of encryption there, but the author of the software kinda ass-u-me'd there won't be.
No, not really. You only need to provide the hostname the certificate is for (and set the expiration period to something sensible). Nobody actually cares about the other information.
Then why is it MANDATORY to be provided? GIGO.
Because the author of the software didn't get the memo. It's dumb, yeah.
Yeah the controller is very much alpha software as far as I'm concerned. It would be fantastic if their auto-join procedure were to make a certificate for the joining device for use in encrypting the connection---wait, it already does by virtue of being on the VPN. Too bad it's too stupid to realize this.
The auto-join procedure already creates a client key that is used to sign the keberos tickets and authenticate the connection to the controller in the future, VPN or not. And then some VPNs can use that to manage its own keys. Implementing such exchange in other software probably isn't too hard; it's just the tools to do it manually are a bit ⊠primitive.
-
@Tsaukpaetra said in WTF Bites:
Except it's not public and should totally not be sniffable.
Not being public does not mean much. Unfortunately these days most people tend to use Wi-Fi (the company I'm currently contracting for does not even have wired network set up, and while my company does, I can't connect the client's notebook to it, only to the Wi-Fi) and Wi-Fi can be sniffed.
Yeah, you have the additional layer of encryption there, but the author of the software kinda ass-u-me'd there won't be.
I didn't mean an attacker can sniff the connection, I meant for the purposes of requesting the certificate, which I understood you to imply?
No, not really. You only need to provide the hostname the certificate is for (and set the expiration period to something sensible). Nobody actually cares about the other information.
Then why is it MANDATORY to be provided? GIGO.
Because the author of the software didn't get the memo. It's dumb, yeah.
Someone needs to talk to them openssl folks...
Yeah the controller is very much alpha software as far as I'm concerned. It would be fantastic if their auto-join procedure were to make a certificate for the joining device for use in encrypting the connection---wait, it already does by virtue of being on the VPN. Too bad it's too stupid to realize this.
The auto-join procedure already creates a client key that is used to sign the keberos tickets and authenticate the connection to the controller in the future, VPN or not. And then some VPNs can use that to manage its own keys. Implementing such exchange in other software probably isn't too hard; it's just the tools to do it manually are a bit ⊠primitive.
I would fully expect some kind of library interface or whatever, but not my program not my problem or whatever the phrase goes...
-
@Tsaukpaetra Note that openssl asks those parameters when you generate a certificate, but you can just hit enter and get some nonsensical dummy values filled in. And cfssl will happily not fill anything if you don't say anything.
-
@Tsaukpaetra said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
No, not really. You only need to provide the hostname the certificate is for (and set the expiration period to something sensible). Nobody actually cares about the other information.
Then why is it MANDATORY to be provided? GIGO.
Because the author of the software didn't get the memo. It's dumb, yeah.
Someone needs to talk to them openssl folks...
There's a template file system that specifies what you need to provide and what the defaults are. Sounds like you're using a template written by a security dweeb, someone who understands the technical need for things but not any of the human factors.
-
-
@Tsaukpaetra said in WTF Bites:
Can I just take a moment and reflect on the retardedness of requiring HTTPS inside a VPN?
There's "trusted" and then there's trusted. For reference, we have to allow students inside our network (and yes, they can use a VPN to access our teaching resources from home) and I wouldn't trust them very far at all. After all, I remember what I was like as a student...
No one taught me the address of the DNS server does not go on the static IP assignment. I learned that all by myself!
Once I learned that lesson, I solved everyone's internet problems and they did not even realize it.
You know, certificate validation saved my ass once. Customer's application started to break with this error and after some investigation, we have found that the IP address from their DNS in their VPN in their AWS account actually pointed to some completely different, random AWS account. So, we were this close to sending fully valid admin JWT tokens to random dudes on the internet.
Of course,
is how could something like that happen... but it's actually quite common kind of problems for that particular customer, the working theory is that they somehow got cursed by some powerful sorcerer. All their systems are just haunted.
-
@Kamil-Podlesak said in WTF Bites:
the working theory is that they somehow got cursed by some powerful sorcerer
Or they have a disgruntled employee trying to sabotage them. Those are quite a bit more common than powerful sorcerers.
-
@Kamil-Podlesak said in WTF Bites:
the working theory is that they somehow got cursed by some powerful sorcerer
Or they have a disgruntled employee trying to sabotage them. Those are quite a bit more common than powerful sorcerers.
Potato, potahto. As A.C.Clarke said: sufficiently advanced technology is indistinguishable from magic.
-
@Kamil-Podlesak said in WTF Bites:
that they somehow got cursed by some powerful sorcerer.
They have computers. They are cursed. QED.
-
This is probably on the admin who set up our JIRA, but on our scrum board we have quick filters for issues assigned to Alice, Bob, Carol, etc. Selecting more than one user uses AND logic, so (since an issue can only be assigned to one user) selecting more than one user filters out all issues and returns no results.
(Desired functionality would be that only one quick filter can be active at a time.)
-
@error maybe someone should file a JIRA with Atlassian.
-
This is probably on the admin who set up our JIRA, but on our scrum board we have quick filters for issues assigned to Alice, Bob, Carol, etc. Selecting more than one user uses AND logic, so (since an issue can only be assigned to one user) selecting more than one user filters out all issues and returns no results.
(Desired functionality would be that only one quick filter can be active at a time.)
Sometimes I want that. But the AND filtering is useful, too. Usually for looking at a particular sprint or some other criteria plus "Only My Tickets."
-
@boomzilla youâd think a tool targeted at developers would allow specifying both
andandor, eh?
-
@boomzilla youâd think a tool targeted at developers would allow specifying both
andandor, eh?Sure! If you click the thingy and make it reveal the underlying query mumbo jumbo so you can edit it yourself.
-
@boomzilla youâd think a tool targeted at developers would allow specifying both
andandor, eh?And a tool targeted for Canadians would include the
eh?also
-
@Applied-Mediocrity psh, Iâve had like $50 worth of Piña Coladas. Shuddup.
-
@topspin Cheers, man!
-
@Applied-Mediocrity psh, Iâve had like $50 worth of Piña Coladas. Shuddup.
-
@Applied-Mediocrity psh, Iâve had like $50 worth of Piña Coladas. Shuddup.
After just returning from Hawaii, that's approximately 2 drinks. 3 if you're at a cheap restaurant.
-
@boomzilla youâd think a tool targeted at developers would allow specifying both
andandor, eh?There are some tools that are even smart enough to
orthe criteria for the same column andandthe criteria for different columns, which is 95% of the time what the user actually wants. Just Jira ain't one of 'em.
-
@loopback0 I did get caught in the rain (like, massive downpour on an otherwise sunny summer day) on a day in the zoo with my ex, and then again another time walking home from karaoke at the Irish Pub. I used to hum along to this song, but for whatever reason, he wouldnât get it.
-
@boomzilla youâd think a tool targeted at developers would allow specifying both
andandor, eh?It just needs an invert results button, then to select âAlice or Bobâ you just select every other user and invert
I realise that wouldnât actually work (although it would include both Alice and Bobâs issuesâŠ)
-
@boomzilla youâd think a tool targeted at developers would allow specifying both
andandor, eh?It just needs an invert results button, then to select âAlice or Bobâ you just select every other user and invert
I realise that wouldnât actually work (although it would include both Alice and Bobâs issuesâŠ)
.... would it though?
-
@Applied-Mediocrity
Only if the error messages spews out Tabernak!
-
@Kamil-Podlesak said in WTF Bites:
their AWS account actually pointed to some completely different, random AWS account
That's AWfullnesS par excellence.
-
Reddit has a plan to cut costs by . . . . hiring more people.
Reddit insists on being âfairly paidâ amid API price protest plans, layoffs
Reddit, accused of trying to kill third-party apps, is cutting 5% of workforce.
Reddit is trying to break even next year, according to an email to employees from Reddit CEO Steve Huffman.
The Wall Street Journal reported that Reddit is laying off "around 5 percent" of its workforce or "roughly 90 employees."
The company also reportedly cut the number of hires it planned for the remainder of the year to 100.
So, their cost cutting plan is to lay off 90 people while at the same time hiring 100.
-
@Gern_Blaanston said in WTF Bites:
So, their cost cutting plan is to lay off 90 people while at the same time hiring 100.
Fire the expensive high-salary senior people and hire a pile of interns?
-
@Gern_Blaanston said in WTF Bites:
So, their cost cutting plan is to lay off 90 people while at the same time hiring 100.
Fire the expensive high-salary senior people and hire a pile of interns?
The math doesn't lie!
Adding Certs, CAs, and CSRs
