• An argument in favour of application level name resolution

    Recently I published some documentation detailing how to build and run your own DNS-over-HTTPS (DoH) server.

    As I mentioned at the beginning of that documentation, there's been a certain amount of controversy about DoH vs DNS over TLS (DoT).

    One thread of that argument is along the lines that name resolution should be handled at the OS level (so that all applications get the same result for a given name - improving troubleshooting - as well as giving some caching benefit, versus applications resolving names themselves).

    Generally I've found that argument fairly persuasive, but also taken the view that DoH being implemented at the application level is the result of a general lack of availability/uptake of DoT at the OS level.

    In other words, whilst it's not ideal for applications to be resolving names themselves, it makes an (arguable flawed) privacy-enhancing solution available now, rather than continuing to wait for an (arguably) better solution to actually get adopted (and ignoring whatever reasons led to that lack of adoption).

    But, I've begun to change my mind on whether applications doing resolution themselves really is a problem, or whether it's actually more beneficial when considered alongside some of the aims of DoH

  • Communicating with HomePlugAV Devices using Python

    I've got a couple of pairs of ON Networks' PL 500 HomePlugAV Powerline Adapters and have been playing around with them to see how they compare to the Computrend 902 devices I played around with 5 years ago.

    I'm still playing around with the kit, but thought I'd document a very basic example of how to send commands to the devices using Python - the instructions should work for any kit based on Qualcomm's INT6x00 and AR7x00 chipsets (mine use the AR7420/QCA7420) - we'll be changing one of the encryption keys (the NMK) that the devices use

  • Creating a virtual Network Interface in CentOS 6

    Sometimes you need to assign more than one IP to a server, even if it only has one NIC. To do so, you create a virtual (or aliased) interface, attached to the physical NIC.

    This documentation details how to do this in CentOS5 / CentOS 6 (this also applies to CentOS7 if you're not using Network Manager).

  • Creating a Virtual Network Interface in Debian

    There are times when you might want to assign more than one IP to a system, even if it only has a single physical NIC. This documentation details how to create a virtual network interface (known as aliasing) under Debian (see here for how to alias in Centos 6).

  • ON-Networks PL500 Powerline Adapters

    Quite some time ago, I played around with some Computrend 902 Powerline adapters and found a number of different security issues - here and here

    Those devices are long gone, but whilst the issues I found were relatively minor (if nothing else, proximity was required) it left me a little concerned about the security of any devices that might replace them. For quite some time, I didn't need to use any powerline adapters, but eventually the need arose again (no practical way to run CAT-5 to the location and the Wifi reception is too spotty).

    So I bought 2 pairs of On-Networks' PL500S Powerline adapters. Depending where you buy them from, the model number may be PL500P, PL500-UKS, or even the Netgear part number - Netgear ON NETWORKS PL500-199UKS.

    I've not got as far as giving them a serious hammering from a security perspective as yet, however there doesn't seem to be much information about these devices available on the net (and what is there is potentially misleading), so I thought I'd post the information I've pulled together from prodding the devices, as well as a few common sense facts that might be being missed. As I'd have found some of the information helpful had it been available prior to purchase, I suspect others might find it of use too.

  • The Storm Ate my Broadband

    Like many in the country, the storm has left me feeling somewhat isolated - that is to say my broadband is down. Don't get me wrong, I'm just glad the power is (mostly) back, and I'm far better off than some who've had their lives affected.

    The simple fact, though, is that I have things I need to do, and not having a broadband connection really gets in the way of that.

    Living where I do, there's precisely one place in the house that gets a 3G signal, unfortunately that place isn't particularly conducive to sitting comfortably. Whilst the Wifi hotspot functionality on my phone helps, the range isn't great enough to let me sit somewhere that I might be able to concentrate.

    So, somewhat convoluted workaround needed;

  • Usurping the BTHomeHub with a Raspberry Pi: Part 2 - DNS, DHCP and NTP

    In Part One, we configured our RaspberryPi to act as a Wireless access point and bridged the wireless and wired interfaces so that WLAN client's were easily accessible from the LAN.

    As part of that setup, we configured a DHCP server, however we haven't yet made it the DHCP server for the LAN - our tired old BTHomeHub is still the authoritative server for the network.

    In this part, we'll be reconfiguring our DHCP server so that it takes responsibility for the entire LAN, configuring DNS services, and making our Pi the LANs central NTP (Network Time Protocol) Server

    Step by step, we'll be configuring our Raspberry Pi to take over nearly all of the duties performed by the BTHomeHub.

  • Vulnerability: Infiltrating a network via Powerline (HomePlugAV) adapters

    As I posted recently, I've been playing around with some of ON Network's PL500 HomePlugAV Adapters. Given my previous experience with Powerline adapters, as part of that tinkering I thought I'd see whether they contain (or are) a security issue.

    Unfortunately the news isn't great, as I can now get effective physical network access using the HomePlugAV adapters as my entry point. It does, of course require some proximity to the target network, but is otherwise pretty straight forward.

    As I don't have $5,000 to spare, I did this without reading the HomePlugAV technical specification.

     

    Responsible Disclosure: Before publishing, I contacted the HomePlug Alliance to notify them of the issues I'd identified, but have had no response