acme.sh is the ultimate DNS/SSL toolset! i have wasted my life!

I’ve been automating SSL renewals for almost as long as i’ve been deploying them.  for the most part, it is very smooth and easy to do.  (thanks mostly to certbot and the hard work over at let’s encrypt)  The trouble comes up with non publicly addressable servers and other custom setups. cough cough. . . Unifi. . . cough cough.

I recently discovered a tool that makes all those complicated setups as easy as the original certbot installs. acme.sh is that tool.  two lines!  not since screen have i regret any time i spent not using such a tool.

./acme.sh –renew -d “unifi.domain.com”

./acme.sh –deploy -d “unifi.domain.com” –deploy-hook unifi

Pro Tools users struggling with plugin licenses after activation try this. . .

Antares Auto-Tune screen

Users of Antares plugins, or others using Codemeter license manger may be locked out of their licences in Pro-Tools.  The licenses show up in the various license managers, but Pro-Tools says NO. This is due to added file system security of Mojave.  Add Pro Tools to the “Full Disk Access” list in Security & Privacy System Preference. That should solve the problem.  good luck.

New security updates overtake jailbreak advantages.

There are just so many privilege escalation fixes in the latest iOS 12.2 update. I finally removed the jailbreak from my primary device and updated.  Privilege escalation is when an unprivileged or user process (like an app from the app store or even a web page*) gets root or even kernel authority.  This is when bad turns to worse because it can do and see anything with any of the device’s data or sensors.   Since even the big trusted apps have been caught tracking or stealing data, I simply couldn’t leave myself unprotected any longer.

I’ll still of course keep a development device jailbroken on 12.1.2 for all of the reasons. It was a wonderful experience, only slightly beta. I appreciate all the hard work by everyone in the scene. I think i am going hate seeing the home bar again the most.

* web pages are often sandboxed separately from the app itself. Some might argue that a webpage would first have to escape the sandbox before it could escalate privileges. this is true, but i would respond that sandbox escape is just another form of privilege escalation, only one level down. There are also over a dozen webkit fixes in this update.

Back to reality after another amazing DEFCON!

I met a pile of incredible people.  Bought some amazing toys (for science), some i’ve even got working.  Saw some talks and demos.  Talked to some of my heroes and listened to even more.  I saw Ladar Levison talk about epoxying your ports and adding thermite to your hard drives.  I played with the ECU of a fake car!  now i just have finish building the DarkNet Badge!  enjoy my pictures. The hat data is still being analyzed.  I’ll try to build something out of it eventually.


DEFCON26 - Badge Acquired DEFCON26 - Car Hacking Village Badge DEFCON26 - Blockchain Badge DEFCON26 - Show us what you got?! Battlefield Las Vegas - Mac-10 Battlefield Las Vegas - Tank Collection Battlefield Las Vegas - Tank crushing car Battlefield Las Vegas - Tank crushing car close
Continue reading “Back to reality after another amazing DEFCON!”

My first purchase from a KeyMe kiosk and I have notes!

KeyMe Kiosk

I have used MinuteKEY in the past to easily bypass DO NOT COPY keys. Today’s errand was more about a quick solution then a security bypass. I was just copying normal keys today.  Here is what i learned.  With MinuteKEY, you could only make batch copies of the same key.  In fact, the MinuteKEY kiosk locked your key into the machine until all the copying is done.  There were zero protections against DO NOT COPY keys.  They do however print keys right there in a variety of styles and colors.

MinuteKey - DO NOT COPY close Continue reading “My first purchase from a KeyMe kiosk and I have notes!”

Stepping back into Wireless Security

wifi-crack Believe it or not, my home network actually used Radius authentication many years ago. Before I got a Nest (which still cannot connect to anything that isn’t open, WEP, or WPA/WPA2).  At the time, I assumed the Nest app talked directly to the thermostat.  Not true.  It just needs internet to talk to it’s servers where it receives the commands and preferences from the app.  Armed with that knowledge and recent revelations about the security of WPA2, I set to the task of reimplementing Radius on my network.  First, I needed to asses which devices, like the Nest, would be unable to make the transition.  Luckily, most of these devices don’t need anything more then internet access.  One was moved to a hard line and the last attached to a Radius capable wireless bridge.  I added a internet only wireless network for my embedded devices and moved my privileged network to Radius authentication. It was time to change my password anyway. Stay safe!

Continue reading “Stepping back into Wireless Security”

Ubiquiti’s USG router steps up with dual wan support!

I was very excited to discover this feature listed in my Unifi controller today.  You can now repurpose the VOIP port to act as a WAN2.  The ironic part is that i don’t believe the VOIP port serves any actual VOIP function as of yet.  I’ve been recommending these USG routers since I learned of their existence. Unfortunately a lot of my clients want dual WAN and until now, the Unifi Security Gateway fell short.  No longer, Ubiquiti has a really great product line with the Unifi.  I am continuously discovering great new innovation with the latest update to their software, firmware, or cloud platform.  I have been waiting for this!

Unifi WAN2 option