Remember the X.509 PKI? You know, the one that gave us

- "Oh wait, certificate revocation is basically all broken"
- The One Where That Dutch CA Issued A Fraudulent *.google.com Cert

and my all-time favorite:

- Honest Ahmed's Used Cars & Certificates
bugzilla.mozilla.org/show_bug.cgi?i… It's great, because it secures virtually all web traffic, and all you have to do is get a certificate from a certificate authority -- any one at all!

Don't be picky: there are literally hundreds in your trust bundle:

Who reads your email? Ok, ok, nobody does. Even you don't want to, I know. But... who _could_?

A 🧵 about centralization of MX records across gTLDs: SMTP relies on MX records in the DNS to identify which server(s) it should hand the mail off to, and over 40 years after RFC722 was published, email is still cleartext.

Together, this means that any receiving mail server can trivially read any message passing through.

Who controls the internet?

A Twitter 🧵 (if those still work) about diversity of authoritative NS records in gTLDs: Why yes, the internet is resting on a foundation of duct tape and WD40, aka the DNS.

(Yes, yes, obligatory XKCD.)

Time is an illusion, Unix time doubly so.

A Twitter 🧵 coming live at you at a palindromic 1666666661... As you well know, on Unix systems we measure time as the number of seconds since "the epoch": 00:00:00 UTC on January 1st, 1970.

This has made a lot of people very angry and been widely regarded as a bad move.

Hey, so y'all know SPF, the Sender Policy Framework, right?

It's straight forward, isn't it? I mean, client connects, you check envelope-from, client IP, and (what else) a DNS record, and then make your call.

Well. Turns out there's (a bit) more to it. Let's take a look... Simple example:

We try to send mail pretending to be from Microsoft through Yahoo's mail server.

Yahoo looks up microsoft.com's TXT records, finds our sending IP is not authorized, and rejects our mail.

Pop quiz: what is the maximum size of a DNS response? Everybody Knows(tm) that your DNS response MUST fit into 512 bytes, because that's the size of a UDP packet. Right?

Let's pretend that's true. How many A records can you put into a round-robin?

Here's a name that will return a bunch of A records and still fits into 512 bytes:

Lol, blocking "URLs containing ${ may reduce your risk" - I like where this actively exploited Confluence RCE CVE-2022-26134 0-day is going...

confluence.atlassian.com/doc/confluence… Atlassian now has updated the mitigation advise for CVE-2022-26134 to include replacing the xwork jar (or xwork, webwork, and CachedConfigurationProvider.class):

confluence.atlassian.com/doc/confluence…

All too often, you can't fix even trivial typos yourself (easily).

Editing is restricted or you may feel like you're stepping on somebody's toes; commenting disabled, or you fear being seen as nitpicking; or it's 100% static, with no indication of where it comes from. All that contributes to doc-rot. Sometimes it's a result of overly protective least-privilege (popular in infosec docs) or of simply not considering a developer-centric flow when publishing internal documents.

One of the biggest problems in any large organization is documentation. And it's not even that documentation often doesn't exist (although that _is_ a big issue by itself), but that where it exists, it can't be found easily. You all know the pain of trying to find content:
- search gdocs
- search confluence/wiki
- search jive (which for some reason is a thing)
- search git
- search browser history / closed tabs

Finally ask on Slack and somebody who happens to know the location gives you a link.

Good news, everyone! Coming to you live from Omicron Persei 8, in Hypno-Vision, and sponsored by Bachelor Chow:

🧵 What If Programming Languages Were Futurama Characters? 🧵 Fry is... Perl:

A bit goofy, but optimistic and well-meaning. Seems like it's been frozen for 1000 years, but still delivers. Kind, forgiving, but not always quite so bright. Accidentally became it's own grandfather (via autovivification).

It is a truth universally acknowledged, that any developer accessing a web service must be in want of using "curl -k".

-- Jane "DevOps" Austin Let's discuss certificate errors and how to better understand them rather than ignore them.

That's right, it's a 📃🐞🧵!

I frequently see even senior engineers misdiagnose network errors, chasing false flags and inadvertently wasting time debugging problems that could more quickly be diagnosed by paying closer attention to the error messages provided. The best way to cut down on wasted time is to quickly answer the question:

"Is it the DNS, the network, or the app?"

(And no, it's not _always_ the DNS.)

A quick weekend 🧵 on basic network troubleshooting:

You know, pwnkit made me think again about how the nature of our Unix systems has changed.

A multi-user, general-purpose OS really isn't what we need these days, for the most part. Take a look at the various setuid/setgid binaries on your system:

find / -type f -perm /u+s,g+s

Which ones of those do you actually need?

Honestly don't get what the big deal about wildcard certs is. Now I can serve '*.netmeister.org' - big whoop. Fun fact: Firefox/Chrome won't let you visit https://*.netmeister.org:4443/, but Safari has no problem with that.

Apache can't parse "Host: *.netmeister.org" correctly and will return a 400 Bad Request; bozohttpd doesn’t care.

Hey, I have an idea: let's talk about TLDs!

You know, .com, .org, .net, .gov, .vermögensberatung and .香港 - those guys. As you know, the entire domain name space consists of a tree of domain names; the root of the DNS tree is . (dot), and the tree sub-divides into zones consisting of domains and sub-domains.

Per RFC920, the initial top-level domains were: .gov, .edu, .com, .mil, .org

Just how much stuff can we stash in the DNS?

A Twitter 🧵 of Resource Records: Ok, we all know the common resource records:

A - IPv4 address
AAAA - IPv6 address
CNAME - kinda like a symlink
NS - name server
MX - mail server
PTR - reverse IP to name
TXT - domain validation and 500 other things

URLs sure can be weird.

A 🧵 of 🔗-ish things you might not have considered... You know the basic make-up of a URL, right?

An incomplete list of #infosec core competencies
-
A Twitter 🧵 in no particular order: You should know...

How to read a CVE announcement and assess the impact based on its CWE / CVSS score and description. Understand that CVSS scores are relative and impact in your environment may be different.

Look, your email validation logic is very, very likely wrong.

A few examples: Email addresses can contain multiple '@'s.

Well, SMTP "RCPT TO" anyway, where this is valid:

@1st.relay,@2nd.relay:user@final.domain

MTAs generally don't relay them any more, but most seem to accept and deliver to user@final.domain.

Oh, lol, looks like Azure DNS is busted right now. That's... gotta hurt. How’d I notice? I didn’t receive an email to my @FollowStevens address, because my mail server doesn’t talk to MTAs that it can’t reverse the IP address for, which is a great lesson for my students, since we _just_ discussed SMTP and spam protections. 😂

10 Software Engineering Laws Everybody Loves to Ignore

A Twitter 🧵 1. Conway's Law

Also known as: "You will ship your org chart."

"Any organization that designs a system will produce a design whose structure is a copy of the organization's communication structure."