Scott Nicholas

I don't run my DNS server on my laptop and I don't plug in my smartcard at the datacenter (yet). So to keep the KSK offline, I have my YubiKey plugged into my home router, I ssh into that, and then ssh to the DNS server with the key shared over an ssh channel.

p11-kit-server creates a unix socket which then serializes the communication to the smartcard. p11-kit-remote is more like the xinetd way of doing things. It isn't what I want for this, but can be used in the reverse -- such that the dns server starts the communication to …

BIND9 has native pkcs11 support which is usually available in separate packages. But that does not work for smartcard. Your HSM would need to support every crypto function. We want to use OpenSSL engine to do everything except the few things that the smartcard holds secret inside (signing things with a key that can't come out). So don't bother with the bind pkcs11 packages.

This took too long to figure out because of a bug in libp11. I guess other software doesn't check whether the key has the private flag set. I would keep getting something like:

dnssec-signzone: fatal: cannot …

If you set remain-on-exit in tmux, and are too lazy to press Prefix x y <CR> or just prefer the way GNU Screen's zombie command would ask, "Kill/Respawn" then you have found the right place.

I know this doesn't work in 2.3 that is in Debian stretch, so unfortunately you'll need a later version. I'm not sure the earliest, but I just compiled tmux 2.8 and found what I needed in it's documentation.

set-hook -g pane-died 'command-prompt -1 -p "(k)ill/(r)espawn: " "if -Ft = \"#{==:%1,k}\" kill-pane; if -Ft = \"#{==:%1,r}\" respawn-pane"'

So they're putting more …

The page is hidden in the new web UI but if you visit https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key

and setup

https://github.com/dlenski/python-vipaccess

You can then use FreeOTP or Google Authenticator for PayPal!

Java is suppose to be cross-platform but in the case of the UniFi controller, that is not true. There is a snappy-java-1.0.5.jar which doesn't include FreeBSD/amd64 native libraries and thus doesn't work under pfSense. You'll notice this when you upgrade a UAP from 3.2.12.2920 to 3.3.17.3991. The inform url now requires the snappy compression I guess and if you sniff the traffic or look at logs you'll see a 500 failure and a trace about snappy. Just grab the one from the pkg system or, as I did:

wget http …

I've moved from using lighttpd+php+mysql+wordpress to nginx+pelican. My site is now static and on an even smaller vps. Costs went from $40/yr to just $15/yr. So far RamNode has been good. I meant to transition everything over but ... Oops. If you're looking for my old projects, then I am sad. Perhaps one day I'll get an itch to do things with the web again and put useful things here. Until then ... I sorry. :'(

Check if the current window is the window that triggered the beep using

${window.buffer} != ${buffer}

Set trigger conditions like this so that highlights beep for current window, but private messages won't beep in current window.

/set trigger.trigger.beep.conditions "${tg_highlight} || (${tg_msg_pv} && (${window.buffer} != ${buffer}))"

We have all seen this from time-to-time for a file we downloaded from the Internet:

It's usually not a problem because it's an installer and we run it once and it goes away. But what if it's a portable executable? Just exactly WHERE in the heck is this data stored?

NTFS has a feature called Alternate Data Streams (ADS) which is where this security information is stored. Grab a copy of the SysInternals utility streams to remove this offending data if you plan to keep the file around but don't want to completely disable the security feature.

And there you …

For some reason I decided to look into IPv6 again. Initially for AT&T since I was in the router page and saw it as an option that was disabled but not changeable. Then I logged into the router I have at my kids' house. I ran tcpdump and saw this:

root@OpenWrt:/proc/sys/net/ipv6/conf/eth1# tcpdump -vvv -i eth1 ip6
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
18:36:53.462003 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::7281:5ff:fe2c:bbd9 > ff02::1: [icmp6 sum ok …