David Piniella

First, define your objects:

set security zones security-zone Internal address-book address TSserver1 192.168.1.151/32

and whatever service you need to:

set applications application MS-RDP protocol tcp destination-port 3389

and your destination nat pool:

set security nat destination pool dnat-192_168_1_151 address 192.168.1.151/32

set security nat destination pool dnat-192_168_1_151 address port 3389

and your NAT policy:

Define the NAT policy is configured which specifies the NAT pool that the traffic should be translated to.

set security nat destination rule-set dst-nat from zone Internet

set security nat destination rule-set dst-nat rule rule1 match destination-address 256.1.1.1/32

set security nat destination rule-set dst-nat rule rule1 match destination-port 63389

set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_151

and lastly, your security policy to allow the traffic through:

Use the internal (real) IP address and port of the server — the security/firewall aspect happens after the “networking” aspect of the connection:

set security policies from-zone untrust to-zone trust policy Internet_to_Internal_RDP match source-address any destination-address TSserver1 application MS-RDP
set security policies from-zone untrust to-zone trust policy Internet_to_Internal_RDP then permit

Once you’ve commited the change, an RDP connection to 256.1.1.1:63389 will get translated to 192.168.1.151:3389.

A Few Thoughts on Cryptographic Engineering: What’s the matter with PGP?.

TL;DR: keys suck, key management sucks, no perfect foward secrecy really sucks, implementation sucks, software sucks and we should rethink how to do this stuff slightly better.

If you’ve used PGP (or GPG), it’s hard to find fault with his arguments, though.

ProtonMail Blog – News and Updates.

Just got access to the public beta of this; here’s to hoping others follow suit.

The web forum 4chan is known mostly as a place to share juvenile and, to put it mildly, politically incorrect images. But it’s also the birthplace of one of the latest attempts to subvert the NSA’s mass surveillance program.

When whistleblower Edward Snowden revealed that full extent of the NSA’s activities last year, members of the site’s tech forum started talking about the need for a more secure alternative to Skype. Soon, they’d opened a chat room to discuss the project and created an account on the code hosting and collaboration site GitHub and began uploading code.

Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services.

via Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft | Enterprise | WIRED.

 

It’s a shame that w.a.s.t.e. died such an ignoble death — mostly because it was hard to set up, I think. Even so, IM was just a side-feature, not it’s raison d’etre, so you can still make an argument for Tox and against w.a.s.t.e., despite the very nice Pynchon reference.

A Google Site Meant to Protect You Is Helping Hackers Attack You | Threat Level | WIRED.

Testing malicious code for effectiveness.

To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone.  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”

via Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science.

BYOD is a huge security problem in organizations, but this is just a friendly reminder: if you’re out in the world, you have to expect attacks.

But all that could change. In 2012, an organization called the Internet Engineering Task Force IETF created a new email standard that supports addresses with non-Latin and accented Latin characters e.g. ?????.????. In order for this standard to become a reality, every email provider and every website that asks you for your email address must adopt it. That’s obviously a tough hill to climb. The technology is there, but someone has to take the first step.

via Official Gmail Blog: A first step toward more global email.

 

The TL;DR is: Google is enabling non-latin chars in email addresses (cf RFC6530). Whether this will encourage widespread acceptance of this is going to be interesting to see; like IPv4, everyone’s gotten used to The Way We Do It Now. And like IPv6, I doubt there’s going to be much switchover unless it’s forced.

One obvious benefit would be to employ char-sets in the email header as part of heuristic anti-spam measures in a more nuanced way (as opposed to “anything non-LATIN-1 gets more weight when spam/ham score is being calculated”) — you’d be able to say “well, we have customers in Russia, so Cyrillic is OK, but we have no market in Asia so Asian languages have a higher spam score”.

Steganography by gaming google translate with Lorem Ipsum

Lorem Ipsum: Of Good & Evil, Google & China — Krebs on Security.

Juniper SRX: selectively disable TCP SYN or Sequence checking | Bart Jansens.

Quite a bit of useful stuff on this netsec guy’s blog, worth your time if you’re poking at junos devices.

Yahoo email anti-spoofing policy breaks mailing lists – Computerworld.