Yesterday evening I rolled out the new update on my Nextcloud 21 instance. In the coming days, functional tests and adjustments will follow on the scripts for rolling out on customers’ systems Looking with interest on my Prometheus monitoring, how far the performance improvements affect actual implementation. That’s not usually worth an extra microblog. My point is, that I haven’t seen such a smooth upgrade of a Nextcloud main release with such broad app support for a while. Read more

Everyone knows the alert when visiting a website with expired certificates. At least once a month I stumble into one or I receive tickets with questions asking what to do. “Nothing” is my reply in most cases. “The mistake is on the other side”. On this occasion, my very special appreciation to the owners and/or administrators of such sites for the extra work required. The obvious solution to avoid such embarrassments: A software or service with periodic checking and notifications. Sounds obvious, but unfortunately doesn’t always work. Read more

Due to a vulnerability (CVE-2020-3419), attackers could join Webex meetings without being listed in the participants list. Hidden as a “ghost” from the other participants, attackers could eavesdrop on audio and video content. This is what Heise writes in his article today.1 But this is only possible (…) if attackers have access to meetings in the form of shared links and a password. Sounds quite trivial, but it isn’t. The objectives of confidentiality and integrity are lost when others eavesdrop unnoticed during a job interview for instance. Access data can be collected in unencrypted emails. It is not unusual for permanent meeting rooms to keep the same access data over an extended period of time. Read more

What a pity, this is exactly the scenario I first expected for Microsoft. But I’m not really surprised that Apple is now ahead, what happened? The ocsp.apple.com server was apparently down and/or unreachable between yesterday and today1. Unfortunately macOS tries to reach it every time an app is opened to check if a certificate has expired2 or an app has been retracted or some more magic. Of course this is not transparent, closed-source and therefore not verifiable. Read more

Winter is coming! Winter time has already arrived, and soon the Corona Lockdown aswell. Sitting at home in the warmth with a cup of tea, having a complete overview of the IT is a good feeling. The catchword here is “complete”. I don’t rely on traditional blackbox monitoring solutions1 but rather on the whitebox solution called Prometheus2. Behind Prometheus there is no single company but an initiative of various ones. The who-is-who of the tech industry with RedHat, Amazon, Apple, ARM and many others3. Of course Prometheus comes with a free licence and is completely open-source. Read more

This weekend I was very active in improving my own security. I have also found two neat tools for quality testing which are Hardenize1 and DNSViz2 - both added to my Micro-Blog post “Measuring website quality”. On my own mailserver I have implemented MTA-STA according to RFC 84613 incl. reporting. This standard is quite new (2018) and is particularly suitable for servers without DANE4. However, even without DANE I believe that I have the best and most complete server by standards (DKIM, SPF, DMARC, MTA-SRA, TLS-RPT, TLS1.3) in the entire Sieger- and Sauerland. Read more

I’ve started using Apache-Exporter1 for monitoring and checking this weekend how useful it is and how it can be integrated into my Prometheus2 monitoring enviroment. The server-status requests inevitably lead to more “background noise” in the Apache logfiles. The screenshot below clearly shows in the upper less section: Of course the requests cannot be prevented, but you can manipulate what Apache writes in its logfiles. It’s called conditional logging and allows you to set variables with SetEnvIf3 to any regex on each request. With SetEnvIfExpr it is even possible to perform expressions4, for instance to check if a request comes from your inside network segments: Read more

Today I’ve recieved a Email with following Headers: Arc-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Erhalten: from xxxxxxxx.protection.outlook.com May I ask openly what this “protection” outlook.com server does in the absence of common spam and security features? There are numerous tools in the web for (self-)checking. I usually provide this link and try to lead by example before going into further details like IP-Stripping, pentests or security: https://mxtoolbox.com/domain/jakobssystems.net/ With this in mind, stay healthy! Read more