IPv6-First LANs with VyOS

Published on April 11, 2024

When deploying access networks, current best practices require IPv6 and IPv4 access to be available for all devices. In this post we'll see how we can do this efficiently when using a VyOS router, with an IPv6-first mind.

Do you really need IPv4 anymore?

Published on April 9, 2024

In this post we explore the need for IPv4 in access networks and the current state of affairs for IPv6-mostly or IPv6-only networks. We go over all of the relevant technologies, such as NAT64, DNS64, PREF64, 464XLAT, SIIT, and the IPv6-Only Preferred DHCP Option. It's a mostly complete picture of the current IPv6 transition mechanism landscape.

Deploying Fiber In The Home

Published on February 29, 2024

Wiring fiber optic networks in buildings is certainly the future, and probably the present too. Follow a large deployment of a fiber optic network at my home to learn more about the technology, cabling, measuring, and design.

Single-domain or Multi-SAN certificates?

Published on December 9, 2023

When issuing certificates for TLS, you have the option of getting one with all of your domain names included, or one individual per domain. Which is better, and when?

The IXP is not your L2 Domain

Published on December 4, 2023

There is a very large number of Internext Exchange Points around the world, and a lot of networks are connected to at least one. But what happens when you forget to turn off Layer 2 protocols on the Peering LAN?

Introducing TP: A Zero Trust Secure Proxy

Published on November 15, 2023

On my journey to build a self-hosted Zero Trust environment I had to create TP: a secure proxy that takes care of a lot of the end user connectivity to my "Cloud".

Reset passwords after a data breach?

Published on July 27, 2023

Data breaches happen, and there is need for cleanup after such an incident. But perhaps quickly going to password resets or calls to enable 2FA are not the best advice that should be followed blindly.

L3 Hardware Offload on MikroTik CRS326

Published on February 5, 2023

MikroTik, with RouterOS 7, added the ability to offload IP Traffic to the hardware, and bypass the low performance CPUs of their products. As this feature is still developed, I put it to the test, using their cheapest device.

End-user Client Certificates with ACME

Published on December 6, 2022

Although not by design, ACME is mostly used today to issue TLS Server certificates, for use in the WebPKI. But it's a flexible protocol. An extra field here, a new challenge there. Let's see how far we can push it...

Workload mTLS with ACME & Go

Published on December 5, 2022

The ACME protocol can be used to obtain TLS certificates, and the most common usecase is definitely the WebPKI. However, it can be used for any type of certificate, including mTLS certs in a private PKI. In this post I am providing information on my design for use of ACME for workload certificates.

A scalable OCSP Responder on Cloudflare Workers

Published on November 16, 2022

OCSP is a protocol that helps clients figure out when X.509 certificates, such as the ones used for TLS, are revoked. However, there aren't many cheap or open implementations, especially ones that can scale. In this post I am building an OCSP Responder using Cloudflare Workers & Cloudflare KV.

Fixing IP Geolocation: An ISP Guide

Published on November 3, 2022

IP addresses are frequently geolocated in wrong places, even at the country level. The main reason is the wildly different and imprecise methods to obtain that information in the first place. As it can have a large impact on end-users, ISPs typically want to detect and correct these mistakes. I'm summarizing here the current best practices in fixing this problem.

AirPrinting across networks

Published on December 27, 2021

Apple's AirPrint protocol is by far the easiest method of printing over the network today, so much so that it even made printing on Linux a reality! However, setting it up to work across VLANs or even over the Internet is not easy. In this post I publish how I managed to get it working in a few easy steps.

Configuring COSMOTE VoIP on your PBX

Published on December 1, 2021

COSMOTE is an ISP in Greece that offers its landline telephony service over VoIP, terminated to its CPEs. However, it's been possible to request the SIP credentials and use your service on your own PBX. Since I couldn't find any documentation, and the process involved many hours of trying, troubleshooting, and rate limiting, I decided to post this tutorial which will hopefully be helpful.

The utilization of 44/8: the reason I mapped IPv4 & IPv6

Published on May 15, 2021

Radio amateurs around the world have been lucky to secure a large enough IPv4 allocation from the early days of the Internet, 44.0.0.0/8. Since then, it has seen various types of use, on and off the public Internet. In this post I explore the current usage by running some measurements on the hosts that currently live within it, from various vantage points. Somehow, I end up having to map all of IPv4 and IPv6.

I lost my wallet(s)!

Published on May 9, 2021

In the height of the 2021 cryptocurrency rush, I performed an experiment where I intentionally leaked a number of Bitcoin private keys to thousands of people, and then simply watched to see what happens.

The IPv4 Map of 36C3

Published on January 3, 2020

After mapping the Greek Internet, during my visit to 36C3, in Leipzig, I decided to map the event IP Space and create a nice animated GIF of the utilization, at least of devices responding to pings.

Mapping the Greek Internet - Oct 2019 Edition

Published on November 4, 2019

Inspired by a discussion I had in a RIPE Meeting, and a blog post I read last year, I set out to create a map of the Greek Internet, using IP, Hilbert Curves, and a lot of images.

The state of RPKI Deployment in Greece

Published on February 25, 2019

A report on the state of RPKI deployment from Greek networks, conducted February 2019, including the top ASNs in Greece.

Not everyone works for you

Published on March 7, 2017

A blog post on how some companies and people get confused and act like everyone works for them.

"Security" companies and abuse e-mails

Published on February 7, 2017

A post on how some so called "security" companies cause much more trouble that it's worth mostly due to ignorance on their part.

Debian Firewall when using Docker

Published on January 2, 2017

This post is a tutorial / guide on how to run a firewall on Debian or Ubuntu easily, even if you use Docker.

Guarding your Tor Exit's DNS

Published on October 4, 2016

An attack was published against Tor users that deanonymized them based on DNS. Here we see how Exit Operators can protect the users from these attacks.

Running a Tor Exit Node for fun and e-mails

Published on September 2, 2016

In this blog post, I go over the experiences I had running a Tor Exit Node for about 8 months.

Capturing flags in Thessaloniki

Published on August 26, 2016

A blog post on how a small group of people organized an educational event with a Capture the Flag contest in AUTh. The story and what I learned.

Setting up EdgeMAX Devices for OTE IPv6

Published on July 7, 2016

A guide on how to set up Ubiquiti EdgeMAX EdgeRouter as a PPPoE client with IPv4 and IPv6. The guide uses OTE as an example.

Get eBay Users' Personal Info for free!

Published on July 7, 2016

In this blog post I describe how an attacker got my personal information just by using eBay. It is based on a real story and should not be used as a guide.

In Transparency, Size Matters

Published on June 23, 2016

Certificate Transparency is a project started by Google in order to allow anyone to verify the practices of all Certificate Authorities. In this post, we take a look.

A Secure Week

Published on June 21, 2016

I challenged myself to spend a week without access to any HTTP website, in order to determine whether the web is HTTPS yet.

The callback

Published on March 15, 2016

A story about the current situation in Greece in terms of phone carriers and some truth about Vodafone's "Call Back" feature.

Now on Tor!

Published on January 7, 2016

A blog post about Tor Hidden Services and the announcement of the Official DaKnObNET Hidden Services, which allow visitors to access my websites over the Tor Network, in the form of Hidden Services.

Grab some popcorn and launch Popcorn Time

Published on August 2, 2015

I examine the security of the popular movie and TV series piracy application "Popcorn Time", and find multiple critical vulnerabilities that range from application code execution, all the way to remote code execution, for a full computer compromization, by executing arbitrary shell commands.

Password Managers and Security Questions

Published on July 24, 2015

In this blog post I talk about password managers, and how security questions can actually reduce your security. All this, over a nice, real life story I had with a customer service representative, who didn't like my first school's name, DzLCMpeyuAhAT>RgTuvJPna2s3K)8dUM^V$(QUNu#omuByCvJ8.

e-Voting: Math vs. Implementation

Published on July 9, 2015

In this blog post I go over the vast gap between math and implementation (software code) in terms of security, by examining the case of online voting. In addition, as an example, I am disclosing some security vulnerabilities found in an online voting software.

The Best HTTPS Configuration

Published on June 22, 2015

In this blog post I attempt to examine what is the current best TLS configuration for your web (or not) server, and why answering this question is really not that simple.

Chrome, Chromium, and Certificate Caching

Published on June 18, 2015

This blog post contains a bug I found in Google Chrome and the Chromium browser in which the software failed to update the GUI of which certificate is used, therefore showing the previous certificate to the user, even in cases where the certificate has actually changed in the server.

Physical Security - Bad Design Practices

Published on June 18, 2015

During a store visit, I discovered a secure lock that used an RFID access card to limit access. But there was a way to easily bypass it.

Authentication In File Uploader

Published on June 17, 2015

Learning some basic PHP Web Application Security by following an actual example of a file uploading script I wrote for my University.