menu

Posted on by Arnon Erba in News

Update 1/16/20: According to Namecheap, the issues with DNSSEC have been resolved as of 2:00am EST (11:00 PM PST).

Have a domain registered at Namecheap with DNSSEC turned on? Now might be a good time to check if it still resolves.

Since at least 11:21pm Eastern Standard Time (8:21pm Pacific Standard Time) today, DNSSEC for domain names on Basic/PremiumDNS has been broken. So far, the issue appears to be caused by an expired signing key, but according to the latest status update “there is no current timeline for resolution of this issue”. This happens to be a fairly serious issue as DNSSEC validation for affected domain names will fail and cause websites and services to become inaccessible to some users.

The full text of the status update is copied below. This post will be updated if the status of the incident changes.

We are currently experiencing temporary technical issues with DNSSEC for domain names on Basic/PremiumDNS. If your domain name has DNSSEC option enabled, it may cause DNS performance issues. Unfortunately, there is no current timeline for resolution of this issue. We will keep you updated on the progress. Meanwhile, please contact our Support Team for assistance and more details. Please accept our sincere apologies for the inconvenience. Thank you for your continued support and patience.

Oh well, maybe no one is using DNSSEC anyway.

Posted on by Arnon Erba in News

It’s time: extended support for Windows 7 ends today. Originally released on October 22, 2009 and superseded by Windows 10 almost five years ago, Windows 7 carved out a huge market share for itself in enterprise and home environments alike. In fact, it took Windows 10 until the end of 2018 to finally break Windows 7’s dominant hold on the desktop OS market.

However, it’s time to move on. Windows 10 is a better, faster, and more secure OS that is — and has been for a while — the natural choice for modern environments and modern hardware. Even so, upgrading software and replacing legacy devices in huge organizations is difficult, and Windows 7 is sure to stick around as long as Microsoft offers the paid Extended Security Updates program to companies still trying to migrate. Just like with Windows XP, Windows 7’s story doesn’t end here.

Posted on by Arnon Erba in How-To Guides

Ubuntu has been using update-motd as a MOTD (Message of the Day) generator for several years. Some of the default messages — such as the number of available security patches — can be helpful, but not everyone likes being greeted by a barrage of text every time they log in to their server. In this article, we’ll explore how to adjust, disable, or replace the dynamic MOTD in Ubuntu.

Before You Begin

If you’d rather work with update-motd than turn it off, detailed documentation for changing its output is available in the man page for update-motd. Essentially, the dynamic MOTD is generated by a collection of executable scripts found in the /etc/update-motd.d/ directory. These scripts can be updated, removed, or reordered, and new scripts can be added.

Disabling the Dynamic MOTD

While Ubuntu does not provide a straightforward way to remove update-motd, it’s possible to disable it by adjusting a few PAM options. Two lines, found in both /etc/pam.d/login and /etc/pam.d/sshd, cause update-motd to run on login:

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

Commenting out these lines in both files will prevent the pam_motd.so module from being loaded and will disable the dynamic MOTD.

Bonus Section: Enabling a Static MOTD

If you still want a message printed to the console on login, you can fall back to a static MOTD. Per the man page for sshd_config, OpenSSH can easily be configured to display a static MOTD:

PrintMotd
Specifies whether sshd should print /etc/motd when a user logs in interactively. (On some systems it is also printed by the shell, /etc/profile, or equivalent.) The default is “yes”.

Ubuntu disables this option by default and incorporates /etc/motd into its dynamic generator, but we can re-enable the option to make /etc/motd work again. Add or uncomment the following line in /etc/ssh/sshd_config and restart the OpenSSH daemon to have OpenSSH print /etc/motd on login:

PrintMotd yes

Sources

Posted on by Arnon Erba in News

If you saw a headline earlier this week about a critical security flaw in VLC media player, you may not have gotten the whole story. In fact, the issue is not nearly as serious as it originally seemed.

About a month ago, a user opened a bug report for a crash in VLC caused by a specifically crafted mp4 file. With the cause of the crash still undetermined, MITRE assigned the bug a CVE identifier and gave it a “critical” score of 9.8.

With the bug’s true cause and impact still undetermined, Germany’s CERT-Bund issued an alert of their own warning of a critical flaw in VLC. Worse, because the now several-week-old VLC bug report did not list any significant progress by the VideoLAN team, CERT-Bund announced that no patch was available. The alert kicked off a flurry of other news articles that culminated in a misguided warning from Gizmodo to completely uninstall VLC.

Not a VLC Bug

The only problem was that there was never anything wrong with VLC in the first place. The crash described in the bug report was the result of a vulnerability in libEBML, a third-party library that VLC depends on. However, according to a thread on Twitter from the VideoLAN team, a patched version of libEBML has been shipped with VLC for over a year. It appears the bug report was generated from a Linux system with an older, vulnerable version of libEBML installed.

With that in mind, the CVE score was lowered to “medium” and the report in the VLC bug tracker was closed. Ubuntu released an update for libEBML, and Gizmodo withdrew their doomsday-level announcement. In the end, no patch for VLC is currently required, though some Linux distributions may need to make an updated version of libEBML available.

Read More

Posted on by Arnon Erba in How-To Guides

(Editor’s note: This post has been updated since publication to fix broken links.)

If you have a recent business-class Dell PC with TPM version 1.2, you may be able to upgrade it to TPM version 2.0. Several Dell models are capable of switching between TPM version 1.2 and 2.0 provided a few conditions are met.

Prerequisites

First, your PC must support switching to TPM 2.0. Most supported models are listed in the “Compatible Systems” section of the instructions for the Dell TPM 2.0 Firmware Update Utility itself. If you can’t find your system in that list, there’s a good chance it isn’t supported by this process.

Second, your PC should be configured in UEFI Boot Mode instead of Legacy Boot Mode. Switching boot modes generally requires a reinstallation of Windows, so it’s best to choose UEFI from the start.

Finally, while optional, it’s recommended that you update your BIOS to the latest version. You can get your serial number by running wmic bios get serialnumber from within PowerShell or Command Prompt. Then, you can provide this serial number to the Dell support website to find the latest drivers and downloads for your PC.

Once you’re ready, you can clear the TPM and run the firmware update utility. However, since Windows will automatically take ownership of a fresh TPM after a reboot by default, we have to take some additional steps to make sure the TPM stays deprovisioned throughout the upgrade process.

Step-By-Step Instructions

  1. First, launch a PowerShell window with administrative privileges. Then, run the following command to disable TPM auto-provisioning (we’ll turn it back on later):
    PS C:\> Disable-TpmAutoProvisioning 
  2. Next, reboot, and enter the BIOS settings. Navigate to “Security > TPM 1.2/2.0 Security”. If the TPM is turned off or disabled, enable it. Otherwise, click the “Clear” checkbox and select “Yes” to clear the TPM settings.
  3. Then, boot back to Windows, and download the TPM 2.0 Firmware Update Utility. Run the package, which will trigger a reboot similar to a BIOS update.
  4. When your PC boots back up, run the following command in another elevated PowerShell window:
    PS C:\> Enable-TpmAutoProvisioning 
  5. Reboot your PC again so that Windows can automatically provision the TPM. While you’re rebooting, you can take this opportunity to enter the BIOS and ensure that Secure Boot is enabled (Legacy Option ROMs under “General > Advanced Boot Options” must be disabled first).
  6. Finally, check tpm.msc or the Windows Security app to ensure that your TPM is active and provisioned.

References

Posted on by Arnon Erba in News

Update 4/29/19: The bug affecting printing in Google Calendar appears to be fixed.

Trying to print your Google Calendar but keep getting a broken print preview window? Try enabling the “Show weekends” option under the Day/Week/Month/Year dropdown menu. If you don’t, you may be unable to print your calendar from any view.

It looks like this is a server-side issue, since a 500 error is logged to the browser console when the print preview window fails to load. Hopefully, Google will release a fix for Calendar in the near future, as the issue has already been reported on the Calendar forums: