Statistics
We looked inside some of the posts by brona and here's what we found interesting.
Average Info
Notes Per Post
2
Likes Per Post
2
Reblog Per Post
0
Reply Per Post
0
Time Between Posts
6 months
Number of Posts By Type
Text
11
Photo
1
Link
5
Last Seen Tumblr Blogs
Fun Fact
Mobile US users spent an average of 115.8 minutes on Tumblr app monthly.
Text
Samsung CHG70 Firmware Update
I was struggling for quite some time to upgrade firmware in my screen. Even after following the guide, I was always getting โNo valid update files found. Please check your USB device and try again.โ message.
My flash stick was 4GB already formatted as FAT32. Searching the forums, lot of people seem to have similar problem, I was getting hopeless. When reviewing the partition setup of my flash drive, I noticed it has GPT. I decided to re-partition it with the older MBR and that worked!
The screen seems to be able to read firmware only from drives with MBR and FAT/FAT32/NTFS.
I used the Mac OS X Drive Utility. Make sure to select the Device, not the Volume. Otherwise you canโt change the scheme.
This applies at least to C32HG70QQ and C27HG70QQ. In my case the full PN is LC32HG70QQUXEN, and I successfully upgraded to m-HG732CCAA-1024.0[2DA7].bin
Most recent firmware can be download from the Korean support site:
For 32โณ ver.1024, 2021-08-24 https://www.samsung.com/sec/support/model/LC32HG70QQKXKR/
For 27โณ ver.1025, 2021-03-04 https://www.samsung.com/sec/support/model/LC27HG70QQKXKR/
0 notes
Text
Simple Bazel Example
Install Bazel
brew cask install caskroom/versions/java8
brew install bazel
bazel version
Pull example
git clone https://github.com/bazelbuild/examples.git
Example Build
cd examples/cpp-tutorial/stage1
bazel build //main:hello-world
bazel run //main:hello-world
ls -la ./bazel-bin/main
Tutorial: https://docs.bazel.build/versions/master/tutorial/cpp.html
0 notes
Text
What is inside GoGogate 2? (Teardown)
Are you considering buying GoGogate 2 to control your garage or gate using your iPhone or alike? I was going to use my existing gate position sensor, however I had no idea how the inputs of GoGogate 2 are wired. No luck on the internet however I gave it a shot.... And no problems whatsoever :). I can totally recommend it.
For whoever might be interested here are photos of GoGogate 2 boards after disassembling and reverse engineered schematics of the input circuitry is below.
Ohh!! hello there, seems like GoGogate 2 is based on Raspberry Pi Model A+ V1.1, some custom shield board designed by REMSOL (Company behind GoGogate), some wireless module (guessing 433 MHz) and USB WiFi dongle.
Funny, that is how I would have done it these days. The best part? Delivered in days! It would be more fun building something on my own, but this is just what I need anyway.
So the inputs are isolated! (ROM-0505S DC-DC Converter to isolate power and photo-couplers for the switches). Only unidentified part is the 3 terminal 0805 SMD (U8) in line with power (most likely EMI filter). Outputs (not shown on the schematics) are relay based. The isolation is what I was looking for so I am happy with it. Well done REMSOL!
0 notes
Text
NX-OS Port to ASIC Mapping
Nexus 5000
sh hardware internal gatos all-ports
Nexus 5500
show hardware internal carmel all-ports
Nexus 5600
show hardware internal bigsur all-ports
Nexus 9000
show interface hardware-mappings
1 note
ยท
View note
Link
Example usage of the new Ansible Network Modules to gather show clock command output from Cisco IOS switches.
0 notes
Text
Networking blogs and conferences worth following
This is just list of my personal favourites, I will most likely update this list in future.
Blogs
http://packetpushers.net - Ethan Banks, Greg Ferro and others (weekly shows and community content, iTunes)
http://etherealmind.com - Greg Ferro
http://packetlife.net - Jeremy Stretch
http://comeroutewithme.com - Carl Niger
http://www.fryguy.net - Jeffrey J. Fry (Published workbooks, NX-OS, IOS-XR, JUNOS)
http://lostintransit.se - Daniel Dib
http://certification.codergenie.com/
http://networkgeekstuff.com
http://www.ipspace.net - Ivan Pepelnjak
http://thenetworksherpa.com - John Harrington
Conferences
NANOG
https://www.nanog.org
https://www.youtube.com/user/TeamNANOG
UKNOF
http://www.uknof.org.uk
https://www.youtube.com/user/UKNOFconf
Interesting People
Job Snijders
0 notes
Text
iproute2mac was accepted to Homebrew
iproute2mac (CLI wrapper for basic network utilities on Mac OS X providing linux-like ip command) was accepted to Homebrew master branch.
Installation is straightforward now:
brew install iproute2mac
0 notes
Text
Cisco VIRL Limitations
Just list of Cisco VIRL limtations / bugs I wish I'd have known as of Aug 2015:
You can not modify topology (add node/connection) once simulation has been started.
NX-OS does not support VPC http://community.dev-innovate.com/t/nxosv-more-info-updated-4-20-2015/632
OSPF/EIGRP does not form adjacency while configured on SVI (interface-vlan) using trunk ports. (Generaly multicast problem) http://community.dev-innovate.com/t/ospf-over-a-trunk-link-on-nx-osv/3591
0 notes
Text
Delete Known Government-Linked CA in Mac OS X
Simple script to delete Government-Linked CA https://github.com/sammcj/delete-unknown-root-ca
0 notes
Text
IPsec Site-to-site VPN RouterOS <-> StrongSwan (VyOS,Vyatta) with x509 Certificates
When doing IPsec Site-to-site VPN between Mikrotik RouterOS and StrongSwan (e.g. VyOS, Vyatta, linux distro) there is problem that StrongSwan some time ago changed default value of leftsendcert=always to leftsendcert=ifasked, which results in failed IKE negotiation.
Log:
pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: we have a cert but are not sending it without request pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: sent MR3, ISAKMP SA established pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: retransmitting in response to duplicate packet; already STATE_MAIN_R3 pluto[21004]: "peer-A.B.C.D-tunnel-0" #123: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
I found two practical solutions:
Modify RouterOS Configuration - Specify Remote Certificate in Peer configuration (Remote certificate needs to be imported)
Modify StongSwan Configuration - Add leftsendcert=always to /etc/ipsec.conf in related peer section
Tested on RouterOS 6.25 and StrongSwan 4.5.2-1.1.
1 note
ยท
View note
Link
vyatta-sslh - This package provides Vyatta/VyOS sslh configuration, templates and scripts.
0 notes
Text
Changing password in ActiveDirectory using Ruby and Net/LDAP
When trying to change password of Active Directory user using Net/LDAP in Ruby you will probably get into several problems.
You have to be using TLS secured connection
Bind user have to have appropriate role / privilege
New password have to fulfill Password Policy requirements according to your configuration.
Password have to be encoded regarding http://msdn.microsoft.com/en-us/library/cc223248.aspx (Quotes + UTF-16LE).
To make this work with Net/LDAP here is my working code snippet:
def self.str2unicodePwd(str) ('"' + str + '"').encode("utf-16le").force_encoding("utf-8") end Net::LDAP.open(..., :port => 636, :encryption => :simple_tls) do |ldap| result = ldap.search :filter => (Net::LDAP::Filter.eq("cn", "my_user")) ... ad_user = result.first ops = [[:replace, :unicodePwd, str2unicodePwd("new_password")]] ldap.modify :dn => ad_user.dn, :operations => ops end
And here is function I was using while debugging string manipulation:
def str2hex (str) str.each_byte.map { |b| "0x"+b.to_s(16).rjust(2,'0') }.join(" ") end
Hope this helps
0 notes
Text
IPv6 security in enterprise network
These days IPv6 is getting world-wide ISP adoption as well as implementation on content servers and server software but client side in enterprise networks is still problematic especially due to difficult IPv6 address assignment -> security issues.
In this post i will sum up current IPv4 security and possible IPv6 security implementations in Silicon Hill network. This network has 4000+ devices connected to tens of VLANs - all directly routed in C6500 box. It is very straightforward network topology and most security policies are applied in access layer.
In Silicon Hill network ...
You want to be able to identify users based on their IP address (abuse resolution)
You want to prevent IP address spoofing
You want seamless user experience (Default client configuration should work)
So there is proprietary management software which manages database of users, devices, their MAC and IP addresses and configures switches accordingly.
Current IPv4 security for wired devices
L2 security - Each user has allowed MAC addresses on his switchport (port security)
L3 security - Each user has allowed IP addresses configured in inbound ACL applied to his switchport
DHCP assigned addresses based on MAC address
Current IPv4 security for wireless devices
WPA2 Enterprise, RADIUS
L2 - Each user has allowed MAC addresses, which are checked during RADIUS ACCESS-REQUEST (Calling-Station-Id)
L3 - Only DHCP assigned addresses are allowed
It would be easy to implement IPv6 if same security approaches could be used, however this is not the case.
IPv6 address assignment
Client behavior in respect to global IP address selection is controlled using configurable Router Advertisements (RA) - SLAAC or DHCPv6.
SLAAC - Client uses network prefix (/64) provided in RA and chooses 64 LSBs of address in two ways.
EUI-64 - Device generates his host part of address from his MAC address using standardized algorithm.
Temporary address - Device generate his host part of address in random way (RFC 4941).
Temporary addresses are game changer, they prevents user tracking, however they made implementation of IPv6 security very problematic - once network administrator decides to use SLAAC, he looses control over which addresses are being used by users.
If there would be single bit in ICMPv6 RA to control wherever device is allowed to generate Temporary address there would be no problem!
Thus if inbound ACL is applied to users switchport, which allows him to use only specified address (eg. EUI-64), once client device generates Temporary address it ends up with misconfigured dual-stack and would most probably end up in broken user experience.
Device would think it has valid IPv6 configuration, however ACL would drop its packets - this would result in timeouts of various protocols.
Solution?
DHCPv6 - Equivalent to DHCPv4, however several differences are there, most notably:
You cannot use MAC address to identify devices. Instead DUID is in DHCPv6 packet.
You cannot set default route.
For DHCPv6 packet delivery Link-Local and multicast addresses are used.
Which addresses are used to deliver DHCPv6 packets is not real problem and can be solved easily (Adding these addresses to switchports ACL).
Even using RA for default route preference makes sense.
DUID instead of MAC address for identification is again enhancing user privacy, however it is making implantation of IPv6 security problematic. Most because its generation is leaved to operating system and thus can result in problems as changing DUID after reinstallation of OS, or same DUID for cloned VMs.
This would leave us to constantly updating our database of users devices with their DUIDs.
Solution?
We could use DHCPv6 server which would listen on L2 to DHCPv6 packets and read MAC addresses directly from L2 frame header.
Current implementation of ISC-DHCP is not supporting any of this. What is interesting is RFC 6939 which adds Client Link-Layer address (MAC) as DHCPv6 option. This if implemented in DHCPv6 Relay on our C6500 would enable using ISC-DHCP for v6 the same way as for v4.
In the mean time we can use another DHCPv6 server - dhcpy6d (Developed at IFW Dresden). With simple modifications dhcpy6d can read MAC addresses from L2 frame header and provide address allocation according to static records in PostgreSQL database.
Conclusion
Enforcing security in IPv6 is not plug-n-play and for those which find logging of ND table (IPv6, MAC pairs) insufficient there is really no deployment ready simple solution.
0 notes