Today I was playing with OpenBSD routing domains the first time. Traditionally, multiple interfaces are connected to one routing table. A global switch called 'IP forwarding' will turn packet flows between all interfaces on or off. A more fine-grained control requires some kernel level packet filtering, usually done by PF on OpenBSD. However, with rdomains one can easily isolate traffic to specific routing domains, to separate networks in kernel space.
Continue readingMonday, January 30 2017 20:08
Recovery boot encrypted macOS Sierra
While playing with ulimit
, launchd
and friends I've recently shot myself into the foot. But since it's Unix I did this very efficiently. You might know this old quote from Terry Lambert:
Continue readingIt is not UNIX’s job to stop you from shooting your foot. If you so choose to do so, then it is UNIX’s job to deliver Mr. Bullet to Mr. Foot in the most efficient way it knows.
Saturday, October 15 2016 13:23
OpenVPN and OpenBSD 6.0
Over the last decade I have been installing and using OpenVPN several times, for professional and home use. However, I didn't follow its development over the last 5 years and now got interested in it again. In this blog post I will cover those features which were either new to me or made me struggle.
Continue readingMonday, August 15 2016 11:32
OpenBSD and PCEngine's APU
For quite a while, PCEngine's devices have been known to work well under OpenBSD. In the meantime, their famous Alix boards have been superseded by the next generation systems called APU. At work, we wanted to build a cheap sniffing device that could be used to tap and investigate 'interesting' traffic. An ideal use case to learn about the current state of affairs: OpenBSD on APU.
Continue readingThursday, July 14 2016 16:45
Let's Encrypt on OpenBSD
UPDATE: letskencrypt
has been merged into the base system of OpenBSD and renamed to acme-client
When Let's Encrypt has hit the planet and euphoria calmed down, I decided to give it a spin as soon as a clean, secure and simple OpenBSD client would be available. I may be late some months: letskencrypt has been published on Github on May 12th, 2016 and is currently available in version 0.18. I won't go into the merits of "why yet another client". Read Kristaps Dzonsons page on his beautiful design using isolated independent components. No Python. No Ruby. No Bash.
Continue readingThursday, June 16 2016 16:00
Taking the Red Pill - Incident Response outside the Matrix
For the sake of completeness I'll add the slides of my talk at FIRST 28th Annual Conference in Seoul here.
Continue readingTuesday, December 22 2015 09:46
SSH Backdoor in Juniper Devices
Have you ever seen yourself in trouble arguing for the sake of OpenSource when it comes to transparency, security and correctness? Well, the quality of Software isn't defined by whether it is conventional (aka "closed") or OpenSource. There is good/secure closed source software around, as well as there is terrible OpenSource. And vice versa. However, there's a difference.
Continue readingThursday, January 1 1970 00:01
Hello World!
Yet another blog :/ Well, it's my personal tech blog where I mostly make notes to myself. Enjoy or ignore :)