I own a Synology DS413j NAS (home fileserver, four disks); this is mostly a rather nice box, albeit with some quirks. Some quirks might drive me away from buying a replacement box from this manufacturer; I am perplexed that to fix two-factor authentication sign-on, using a locally generated TOTP code, I had to clear cookies for Google. This is a home box and there should be no third-party tracking cookies for how I access devices within my own household.
Some changes in local anchors and identity. PGP I am now completely cut over to using my PGP key generated in 2013, as a 4096-bit RSA key, to replace the previous 1024-bit DSA keys from long ago. The new key, 0x4D1E900E14C1CC04, is in the strong-set: I took care to ensure that was the case before cutting over to it. It has been signed by both my older keys, with a Signature Policy URL which ends /self and the text retrieved therefrom asserts that it's an “it's me” binding.
Four small things, none on their own worthy of a blog post; the first three are debugging notes from the past week or so and the last is … stunned admiration for PR skill. First up: FreeBSD Jails and nullfs and ZFS ZFS is very handy in FreeBSD 10, where you can now boot from ZFS. Note though that zfs maintains its own internal mapping of where names should be mounted, used via zfs mount -a in /etc/rc.
Last night (or very early this morning), the XMPP service for spodhuis.org (this grumpy troll's primary domain) received an upgrade. TLS trust verification for outbound connections can now be performed via DANE lookups. DANE is a mechanism, using DNS, DNSSEC and a TLSA record type, to provide verifiable information in DNS about the trust anchors for reaching a particular service, such that verifying the certificate or public key identifying the remote end of a TLS connection need only rely upon the data in the DNS.
Had an interesting spot of debugging today, which highlighted a few issues. One of them is my “Oh, I knew about that feature, interesting to see how it interacts here.”, which might cause some programmers to chuckle darkly. One server component which my employer maintains talks to a third-party API for an ancillary service; this is over HTTPS with secret API keys. All certificates and hostnames are validated, etc. Recently, the connectivity broke.
DMARC is in the email tech news once more, following Yahoo's decision to publish a DMARC policy on some of their domains, telling recipient systems to reject mails which do not have valid origin information. I've previous written here about DMARC in the context of its privacy implications, covering mailing-list disclosures and then revisiting, for bug interactions making matters worse. In addition, my name has come up in various circles because of a patch to Mailman which I contributed to.
Containers are a decent technology, whether they're FreeBSD's Jails, Solaris Zones or Linux's version. Linux comes with the LXC tools which can be quite useful to managing the containers. If you're happy to use NAT in front of each container, or a proxy (such as SSH configuration using ProxyCommand to ssh to the containing host) or a web-proxy in front of services, the defaults are decent enough; to be able to directly connect to container service, you want the containers to be on a network which is reachable from outside that machine.
Effective immediately, I will no longer be issuing CACert assurances. My disillusionment has just boiled over, to a level where I do not want to expend any more energy supporting a project where politics has won out over practical security. While it's a shame that politics elsewhere have kept the CACert root certificate out of browser default trust anchors, CACert remained useful enough as a “private CA which other technical people can probably verify more readily than a certificate from my own CA”.
I've had a few people ask me about Bitcoin recently. Rather than repeat myself more than I already have, I'm going to collect together some insightful links and copy/paste liberally from a public Facebook post's comments, where I wrote on the topic when asked. My thanks to Marc Whitmore for prompting the initial discussion, hosting my diatribe in his comments with nary a cross word, and generally being a true gentleman.