Security by Obscurity?

All major browsers and major service providers seem to be deprecating TLS 1.0/1.1 this year.  It's a good move. TLS1.2 has been supported quite many years already in most platforms, and both TLS1.0 and 1.1 have their big weaknesses. But what is the truth about usage percentages? If I want to disable the ancient TLS versions in my webgizmo, how many customers I will lose? First of all you need to describe your customer base. Just because, it depends. If you are creating a service for small amount of general tech savvy users, it's totally different situation than if your service will be global and users from all around the globe and all around the technological knowledge steps. So, as I wrote in the previous posts [links at the end of this post], I had one service where the customer wanted data about the actual situation. Which is not a bad idea, not bad at all. Data is always good, oh so good. Some specs about the service. National service, not global Mostly home user...

"Sir, have you tried to turn it off and on again? And have you double checked that everything is connected properly?" There are multiple reasons why IT support is asking these questions. And not only because even IT wizards every now and then forget this most basic troubleshooting procedure. Whatever your weird issue with any kind of an computer system is, it's better restart/reboot the system before doing any deeper debugging. In 99,99999....% or so cases (and I'm not exaggerating at all!) this solves the issue. We had such incident at work this week, and that made me recall one situation some years back. So, blog post it is! "We have this older PHP application and need you to connect it to our LDAP server." Normal requirement. Not an big issue, especially if the application just supports LDAP. You configure LDAP server address, port and perhaps user account used for connecting to the system. And in internal systems quite often you also need to ad...

After countless of hours spent in Terraforming Azure, it was time to roll sleeves and conquer next the Terraforming vSphere quest. The basic concept is similar, but there are differences, of course. Luckily we have the Google today, so I found plenty of examples. And as seems to be the norm, they all lack some important bits. I know, it's easy to write a very simple howto without too many bells and whistles. But no one will actually use that kind of setup in the real life. I cloned a GitHub repo , and tried to follow the linked tutorial, except not CentOS 7 but another Linux variant. But it shouldn't be an issue in this exercise. Otherwise everything worked like charm, but it just didn't boot. My newly created VM couldn't find the boot disk! Tried again. No luck. Tried a bit different config. As you can already guess, no luck. Okay, perhaps the template I created is somehow broken? I tried to deploy the VM from a template via vSphere UI. Guess what? It wor...

This is a sequel to https://ragolsec.blogspot.com/2019/12/win2012r2-iis-85-and-logging-client.html So, now I had multiple log files with crypto settings included. What next? Some days after I had restarted the logs with current settings I got a message from the project manager: "I have the meeting with customer, starting in a couple of minutes. Do you have the data for me?" I saw this message some minutes after the meeting had already started, *sigh*, but decided to do what could be done. And I opened Excel. Yup, Excel. Log files are kind of CSV, although the separator is space, not comma, so for really quick and dirty work Excel is quite fine. I've always said that Excel is probably the most misused program in any corporate environment.... :) Excel is kind of like Leatherman type of tools. There are better special tools for every job, but you can do so many things (poorly) with Leatherman (or Excel) that as a package, it's just invincible. Almost. I had abo...

Git is hard, is something you hear every now and then, but it seems that less and less every year. But it can't be too hard, even for a non-developer sysadmin, right? Although, I don't want this to become Git blog or Git loving/bashing text, so let's move on. As I wrote in the first blog text, I have been working with a project where Ansible and Terraform meet Azure. Or GitHub novice meets them all. So, first I had to create an account to GitHub and create a repo there. Before the repo could be created, I had to again solve the biggest problem of them all. Naming things is really hard, as the old saying goes. There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors. Finally I resorted to ragol-github as my GitHub username (because plain ragol was not available) and security-infra as the repo name. I had a a need from work to familiarize myself with OpenVAS, and because I also wanted to get better grasp of IaC things...

As I mentioned in the first post, I enjoy reading. I have read quite much always since I started reading, but of course there are times when I read more and for example during my M.Sc studies I didn't read quite much fiction which I usually prefer to do. I just had to read so much for studies. Unfortunately, at least for a data lover like me, I haven't kept statistics about reading except for the last few years. So, I have no idea how much I read when I was a teen and people told me that I read a lot. Last January I stumbled upon Helmet-lukuhaaste 2019 ( same in English ) and decided that even though 50 books per year sounds too much, I will try to read at least 30 or even 40. The concept for the Helmet reading challenge is wonderful. They won't give you titles, they give you "categories" like: 'Book chosen from a bookshelf with your eyes closed', 'The book title has a profession in it', 'A banned book', ' A book that you see someo...