Public Online TLS Talk

I’ll be talking about TLS at mug.org on 13 July 2021. I get more than an hour, so there’ll be time for an energetic discussion afterwards. Their web site is not yet updated, because I just now sent them the talk abstract.

This is an online meeting. All are welcome.

Online meetings are getting more common, and I’m getting more requests to present. While online talks don’t have travel time, they do take a kind of energy I call “people juice.” People juice is scarce and not easily renewed. Video calls are even more exhausting than regular ones. I haven’t made this an official policy yet, but I’ve pretty much set a limit of “not more than one presentation a month, and maybe zero depending on what else is going on.”

TLS Mastery Release, Sponsor Gifts, and Acknowledgements

As if 2020 wasn’t sufficiently rough, I spent it writing about TLS.

Now, I’m done.

TLS Mastery has escaped.

TLS Mastery Beastie Edition
Beastie Edition
TLS Mastery cover
Tux Edition

Transport Layer Security, or TLS, makes ecommerce and online banking possible. It protects your passwords and your privacy. Let’s Encrypt transformed TLS from an expensive tool to a free one. TLS understanding and debugging is an essential sysadmin skill you must have.

TLS Mastery takes you through:

  • How TLS works
  • What TLS provides, and what it doesn’t
  • Wrapping unencrypted connections inside TLS
  • Assessing TLS configurations
  • The Automated Certificate Management Environment (ACME) protocol
  • Using Let’s Encrypt to automatically maintain TLS certificates
  • Online Certificate Status Protocol
  • Certificate Revocation
  • CAA, HSTS, and Certificate Transparency
  • Why you shouldn’t run your own CA, and how to do it anyway
  • and more!

Stop wandering blindly around TLS. Master the protocol with TLS Mastery!

Available in the Beastie Edition and the Tux Edition. The only difference is the cover. Hardcover has both covers.

Get the two-cover hardcover at any of the print bookstores below, or direct from my bookstore.

Get the combined editions at:

Get the Beastie edition at:

Get the Tux edition at:


If you’re a sponsor: your gifts are on order. I have enough on hand for my Patronizers, so I’ll be shipping those first. As soon as yours arrive, I’ll get them to you.

This was a rough book to write, so I want to share the acknowledgements.

TLS is perhaps the most complicated topic I’ve ever written about. Writing this book would have been impossible without outside help.

This book would not exist if the Internet Security Research Group hadn’t deployed ACME and organized Let’s Encrypt. TLS certificates are not only free for most people, their maintenance and renewal is highly automatable. They’ve changed the whole Internet, and deserve our thanks for that.

It doesn’t matter how many RFCs I study and how many technical mailing list archives I read: I lack the expertise and context to best illuminate an arcane topic like TLS. The folks who read this manuscript’s early stages and pointed out my innumerable errors deserve special thanks. James Allen, Xavier Belanger, Trix Farrar, Loganaden Velvindron, Jan-Piet Mens, Mike O’Connor, Fred Schlechter, Grant Taylor, Gordon Tetlow, and Fraser Tweedale, here’s to you.

Lilith Saintcrow convinced me that The Princess Bride could be a useful motif for a serious technology book. This book was written during the 2020 pandemic, so I must also thank The Princess Bride for providing me a desperately needed sense of hope.

Dan Langille gracefully submitted to the pillaging of his blog for useful hints and guidance. I am grateful that JP Mens, Evan Hunt, and John-Mark Gurney provoked him into updating that blog and saving me a bunch of work.

I am unsure if I should profusely thank Bob Beck for his time and patience in revealing the innards of TLS, or profoundly curse him and his spawn unto the seventh generation. I must acknowledge the usefulness of “Happy Bob’s Test CA,” however, so I’ll raise a glass to that while waffling over whether or not the bottle of fair-to-middlin’ wine I owe him should be laced with iocane powder.

For Liz.

Again, to all the tech reviewers and Patronizers and sponsors: thank you. This book would not exist without you.

Online SNMP Talk Tomorrow Night

Late notice, but I have a brain like a stainless steel sponge.

Tomorrow night, 9 June 2020, I’ll be giving an SNMP talk at the mug.org meeting. The meeting starts at 6:30EDT or 22:30UTC, but they have to get through their usual meeting work before they unleash me.

The talk is, of course, based on SNMP Mastery. Or the Networknomicon. Whichever.

Put on your pajamas. Show up. Listen to the my frenetic babble. There will not be prizes, because I can’t throw them at people.

Restore Woocommerce Users from Backup

(This post is for sysadmins. If you use WooCommerce but aren’t a sysadmin, it won’t help you. I can’t help you either. Sorry.)

I use WooCommerce on my bookstore. It’s built on top of WordPress and, as such, attracts spam users. About 40,000 of them since I opened it. The last time I investigated performance problems, I installed Bulk WP Delete to get rid of them. From everything I saw, it would only remove the spam users and leave the customers unaffected.

I was wrong. A small percentage of customers lost their accounts.

I took a backup of the database before purging the spam users, because I’m not a complete idiot. And I kept it close at hand.

If you accidentally blow away user accounts you need, and want to restore them without touching the rest of your database, you can. I used the command line. You can probably do the same using whatever pointy-clicky tool you like, but don’t ask me for help–I don’t know how to use them. Talk to your sysadmin.

The first step is to take a backup of your database. Make sure it’s a good backup, and keep it close at hand. If you screw up, you’ll need it.

I created a VM on my desktop, installed MariaDB, and restored the pre-purge database on that VM. Check the name of your Woocommerce database. Mine is named rapacity, because that’s why I run my own bookstore.

When a user tells you that their account is missing, get the email address they used to create their account. My example user is joe@bucketsofmoney.com.

On your VM, extract the user’s account information to a file.

# mysqldump --user=root -p rapacity wp_users --where='user_email="joe@bucketsofmoney.com"' --skip-add-drop-table --no-create-info > bucketsofmoney.wp_users

Go into the file and look for the user description.

INSERT INTO `wp_users` VALUES (3185...

The first number is user ID. Grab that user’s metadata.

# mysqldump --user=root -p rapacity wp_usermeta --where='user_id=3185' --skip-add-drop-table --no-create-info > bucketsofmoney.wp_usermeta

Copy these two files to your web server. Log into the web server,

MariaDB [(none)]> use rapacity;
MariaDB [rapacity]> source bucketsofmoney.wp_users;
MariaDB [rapacity]> source bucketsofmoney.wp_usermeta;

Now log into the WooCommerce interface and go to Users. Search for that account. Switch the user’s role to Customer.

The user now exists, but their existing orders are disassociated from their account. Go to the Woocommerce page, then Reports, and hit the Customers report. Under the “All Customers” tab, search for the restored account. Over on the right side, one of the buttons will give the option to reconnect previous orders to the account. That button doesn’t appear unless there are previous orders. Hit it.

The account is now restored.

If you screw up and fry the existing database, restore from backup:

# mysql -u root -p --one-database rapacity < mysql-backup-2019-03-23

As you might guess, this blog is mostly for my own later reference.

And the next time I have to delete spam users, I plan to just go into the database and drop every user who has never ordered anything. Forget plugins.

How did I solve the performance issues? My new web site has more images per page, especially the fancy new front page. Installing “WP Super Cache” dramatically improved everything.

MS Word auto-recovery files and Dictation

Today, I learned about Microsoft Word auto-recovery files.

If Microsoft Word crashes and can’t auto-recover the document, find the autosave file. The location is given in File->Options->Save. Sort the directory by date, and your autosave should be at or near the top. The file name ends in .asd. Copy that file elsewhere and open it in Wordpad.

Your text will be therein, stripped of all formatting but present.

In related news: I’m trying dictation. I know several authors who produce several thousand words per hour with dictation. I would like to produce several thousand words per hour.

Seemingly unrelated fact: I habitually hit the “save” button after typing every sentence. Note the key word: typing.

In more related news: installing Dragon 15 has made Microsoft Word lock up three times today. The third time, it couldn’t auto-recover the lost text.

And I hadn’t even thought about saving. Because I automatically hit “save” every sentence.

Beware your habits. They will cause you pain when you change.

Also: computers are terrible. I need a stenographer. Who understands MS Word styles.

Penguicon 2017 Schedule

Next weekend, April 28-30 2017, I’ll be at Penguicon. Two weekends after that (12-14 May), I’ll be at Kansas LinuxFest. But we’re on Penguicon right now.

Here’s my events and the description for each. Each is 1 hour unless specified otherwise. And I’m asking your help for some of these events. (Updated to add the LN2 events, which I’m not running but a guy has to eat sometime.)

Friday:
8PM: LN2 Ice Cream
9PM: The OpenBSD Web Stack – OpenBSD is best known for security and networking. But they also have a highly secure web server and load balancer. This talk will take you through the OpenBSD web stack, presenting its strengths and disadvantages. We’ll cover the httpd web server, free globally valid SSL certificates through ACME, the Common Address Redundancy Protocol for two-server clusters, and the relayd load balancer. Many of the security issues common on web servers are simply not an issue on OpenBSD. Come find out why!

Saturday:
9 AM: Writers and Traditional Publishing – So you want to sell a book to a publisher. How do you do that? What should you expect? How do you optimize your chances of getting not just a deal, but the deal you want? What gets some people into traditional publishing, and keeps others out? Come hear authors discuss the good and bad of the publishing biz!

10-11:45AM: Author Meet & Read, Vol. 1 – A big room with Clif Flynt, Mary Lynne Gibbs, Jen Haeger, Christian Klaver, James Frederick Leach, David Erik Nelson, John Scalzi, Clarence Young, and myself, all showing off our books, talking to our readers, and signing books. I will have my books still in print for sale. I’m expecting that the others will all have long lines and I’ll be there alone, so this is your chance to heckle me in person.

10:54-11:03AM: reading from git commit murder – Readings are tightly scheduled, so I expect this to begin and end sharply on time.

1PM: self publishing in 2017 – Self-publishing is an increasingly important channel for authors to reach their readers. It also changes constantly, with new tools and distributors opening daily and existing platforms changing. This panel brings together veteran self-publishers to share their experiences, discuss the changes of the last year, and give new authors an edge in the business.

2PM: 90 second reads – Join a handful of Penguicon authors as they read 90-second passages from their novels. The selections will be thematically linked based on keywords, such as sorrow, fury, funny, love, etc. Timing is crucial! After, there will be a Q&A with the authors.

3PM: LN2 ice cream

5PM: Writing High-Performance Nonfiction – Writing nonfiction is not merely reciting facts. It’s a specialized form of storytelling, very different from your college essays and book reports. Whether you’re writing memoirs or computer texts, using storytelling techniques transforms your work for the better. This talk takes you through making your nonfiction not only readable, but memorable.

7PM: BSD Operating Systems in 2017 – I’ll be discussing the current options in BSD-based operating systems, the big news from recent projects, new developments, and where we’re going from here.

8-10PM: LN2 ice cream

Sunday:

10AM: breakfast – LN2 ice cream

11AM: Senior Sysadmin Panel – Storage – The years know things that the days and weeks never know. We’ve gathered half a dozen people who’ve been sysadmins for over 20 years to talk about the one of the most dreaded and annoying topics in computing: storage.

12PM: Self-Promotion for Creatives – Independent creators are their own PR departments. We have to not only make all the things, we have to spread the word about all the things. Here we have a bunch of artists and writer types who successfully spread their work across the world. What works? What doesn’t? How can you be shamelessly self-promoting without being a jerk? Come find out!

Where could I use help?

In the 90 second reads panel, I get a few 90 second periods to read a selection from my fiction. Each read should have a theme. Our group has four themes: Betrayal, Heartbreaking, Scary, Funny.

For those of you who have read my fiction: I could use suggestions for parts of my books that you thought fit these themes. I have a few thoughts, but what I think fits a theme is probably not what struck you lot as fitting that theme.

So: if you’ve read my fiction, what of mine would you suggest for a brief reading in any or all of those themes?

The semibug PAM talk live tweet

On November 8 I’ll be at mug.org, giving a talk on how “PAM is Un-American.”

Last night, I gave an early version of the talk to the smaller, and not recorded, semibug.org crowd.

Josh Grosse live-tweeted the event.

The actual talk will be recorded. And will have considerably less swearing. Because it’s being recorded.

And yes, I think there really will be a Complete and Unexpurgated Edition of PAM Mastery available at the BSDCan 2017 closing auction. All I’ll need to do is add all the swearing back into the book.

See Me in 2016

I have two more public appearances in 2016.

October 7-8, I’ll be at Ohio LinuxFest. They’ve asked me to speak on Introducing ZFS.

November 8, mug.org has invited me to talk about PAM. This is election day in the United States, so the talk is on how PAM is Un-American.

Sadly, family commitments prevent me from going to MeetBSD in Berkeley. Plus, there’s the whole “get on a plane” thing, which I try really really hard to avoid. I’d probably do it to see Berkeley, though. I’m pretty sure a pilgrimage to Berkeley is required once during my lifetime.

Other than that, you can catch me at a Semibug meeting.

Penguicon 2016 Lucas Track Schedule

While the folks at Penguicon reserve the right to change the schedule at any time, we’re close enough to the con that I’m comfortable releasing my talks and panel schedule. This is extracted from the official Penguicon descriptions. and schedule.

Friday, 30 29 April:

6 PM – Social Media for Writers (panelist) – Hamlin
What social media trends does a writer building their web footprint need to understand? What are some Dos and Don’ts?

8 PM – PAM: You’re Doing It Wrong (speaker) – Windover
PAM, or Pluggable Authentication Modules, is one of the most occult parts of managing Unixish systems. The unique configuration syntax and idiosyncratic rule processing drives many sysadmins to copy working configurations from other people and random blog posts. This talk takes you through the essentials of PAM configuration, You’ll learn the components of PAM, how PAM processes rules, how to use multi-factor authentication, and get an overview of some useful PAM modules you probably haven’t used, based on my forthcoming book “PAM Mastery.”

10 PM – the ZFS File System (speaker) – Windover
ZFS, the Zettabyte File System, is one of the most full-featured filesystems available today and gives almost unlimited storage flexibility. Originally created by Sun Microsystems, the independent entity OpenZFS now develops ZFS as deployed in illumos, Linux, and FreeBSD. This talk takes you through ZFS’ features, including: data self-healing, deduplication and compression, clones and snapshots, copy-on-write, boot environments, replication, and more. Once you use ZFS, you’ll never understand how you lived without it.

Saturday, 1 May 31 April:

11 AM – Networking for Systems Administrators (speaker) – Windover
Too many organizations have a tense relationship between the network folks and the sysadmins. Sometimes it degenerates just short of war. But basic networking isn’t hard–if it was, network engineers couldn’t do it. This talk teaches the essentials, in a way that lets sysadmins troubleshoot network problems on their own. Sysadmins have amazing visibility into the network, once they know how to use it. We’ll cover cross-platform tools for viewing and troubleshooting the network, on both Windows and Unix.

4 PM – Encrypted Backups with Tarsnap (speaker) – Windover
Online backup is incredibly useful, but has many privacy and integrity risks. Tarsnap is an online backup service that only handles your data in encrypted form. It’s inexpensive and reliable. Plus you don’t need to trust the Tarsnap service–they can’t access your backups even if they want to. And Tarsnap’s built-in deduplication saves space, letting you store terabytes of backups in mere gigabytes of disk. This talk takes you through using Tarsnap, from backing up a system to customizing and rotating backups, to fully restoring them.

5 PM – Acts of Shameless Self-Promotion (panelist) – Portage Auditorium
What’s the best way to get your name forward?

7 PM – reading (speaker) – Writer’s Block (313 & 315)
My first ever fiction reading: my datacenter crime story “Wifi and Romex” I’m sharing this hour with Ken MacGregor. Don’t know which half I’ll get.

Sunday, 2 1 May:

10 AM: Self-Publishing 2016 (panelist) – EMC 1
This panel discusses today’s self-publishing options and business models. Our panelists include authors who are both self- and traditionally published, in fiction and nonfiction, including people who are making an income entirely by self-publishing. We’ll discuss why we made the choice to self-publish, the pitfalls and lessons learned, and which business choices we’ve made on our respective self-publishing efforts.

12 PM: BSD Operating Systems in 2016 (speaker) – Windover Charlevoix B
The BSD family of Unix has a been kicking around for almost 40 years now, and have taken different paths than Linux. Come see the last year’s developments in BSD land! One of them just might solve your intractable problem. We’ll talk about new things from FreeBSD, OpenBSD, plus updates from NetBSD, Dragonfly, and assorted derivatives.

2 PM: Senior Sysadmins Panel – Windover
Some say systems administration is a young man’s game, and that eventually sysadmins rise into management. They’re wrong. A sysadmin who measures their experience in decades has made mistakes younger sysadmins can’t even imagine. This panel lets you learn from their suffering, take advantage of their experience, and laugh at their pain.

I’ll have print books at all of my tech talks, including the brand-new FreeBSD Mastery: Advanced ZFS. You’ll be able to find my novels up in the Writer’s Block, rooms 313 & 315.

I’ll be kicking around the con the rest of the weekend, except for probably a lunch break Saturday. (Anyone interested in pho?) I’m not making a firm schedule for the rest of the time, but you’ll have a pretty decent chance at finding me at any of these events.

Friday 4 PM: LN2 Welcome Back Ice Cream
Friday 11 PM: LN2 After Hours Ice Cream
Saturday 3 PM: LN2 Guest Flavors Ice Cream
Saturday 11 PM: LN2 After Hours Ice Cream
Sunday 11 AM: LN2 Sunday Brunch Ice Cream

FreeBSD and pam_listfile

I’ve discovered unknown terrors while researching and writing PAM Mastery. Well, terrors previously unknown to me, at least. I’m certain that the OpenPAM and Linux-PAM developers are very much aware of them. (I’m also certain that they’re part of the reason DES keeps his hair cut so short, so that he can’t yank it out of his head in bloody chunks.)

Part of the writing process was building a giant spreadsheet listing operating systems, PAM versions, and which modules appear in each OS. Strictly speaking, OpenPAM proper contains very few modules. Most “OpenPAM” modules actually originate from FreeBSD. But people are free to use them, so they generally get lumped into the “OpenPAM module” bucket.

One module that’s conspicuous by its absence in pam_listfile. Pam_listfile.so lets you accept or reject access based on the username’s presence in a file. It’s much like the traditional BSD /etc/ftpusers functionality.

It’s a reasonable enough module. And I’m told that pam_listfile.so can be compiled to work on FreeBSD, but nobody’s bothered to submit a port. How to make it work is a perennial question on the FreeBSD mailing lists.

The good news is, you can easily emulate pam_listfile.so on FreeBSD using pam_exec. Pam_exec runs a command as part of the PAM chain. If the command returns 0, the module says to grant access. If the command returns 1, the module says to deny access. (Whether PAM obeys this instruction or not depends on the type of statement.)

Here I implement basic pam_listfile.so functionality in a shell script, pam_listfile.sh.

Enable pam_listfile.sh as an auth rule.

auth required pam_exec /usr/local/scripts/pam_listfile.sh

Now all you need is a script. This version of the script permits access if the username appears in /etc/validusers.

#!/bin/sh
/usr/bin/grep ^$PAM_USER$ /etc/validusers
return $?

And here’s a version that rejects access if the username appears in /etc/validusers, exactly like /etc/ftpusers. It’s a huge change, adding an entire exclamation point.

#!/bin/sh
! /usr/bin/grep ^$PAM_USER$ /etc/validusers
return $?

You could add more functions as you need. The important thing is to return either 0 or not-zero.

PAM Mastery is over half finished. I’ve completed the parts on “this is how PAM works” and have moved on to “here are some cool PAM modules that you might want to use.”

And my marketing department says I need to mention that I’m taking sponsors on the print and ebook versions of PAM Mastery.