Not sure where i originally posted about my speed issues with TOR.

Seems i was connecting via a bridge.. no wonder it was slow.  Donno how that happened. 

Ouch.

CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials

American water 'security breach' yesterday.  Said no "utility systems" effected but took stuff off line. 

With luck they didnt steal all the stuff from us who have auto debit..  Tho my bank watches for that stuff, and you get a refund, its still a hassle. 

"yes, we use SSO"  "You will have to sign up separately for each of our applications and add them into your phone's authentication app"

Then how the F is it SSO then?? Might be MFA, but not SSO.

This could fall in a lot of rooms. but after some talking it turns out its due to a security concern. so here it goes..

Been talking to a guy at work, hes trying to share a usb device between multiple VM guests. ( KVM/QEMU ).  Putting aside the issue of sharing a single device between machine and the natural issues you might get, i suggested he just allocate the device to all the VMs and then only access it one at a time, and even tho no guarantee it would not totally freak out.

I guess his end goal is actually to attach the device to one VM, and share it from there, not from the server. Hes leaning to IP sharing ( which i have seen used between physical servers, but never touched ) Asking why, 'security concerns', about pieces of the underlying GPU management stuff being in user-land. Personally, i don't think its THAT huge of a risk and not sure how that would actually help, but to him it is, so that is where we are starting from.

Since im now in way over my head, thought id see if any of you all might have an idea for him.

The last bit of discussion went like this ( now that you have some context ):

____

Mostly security reasons. VirtIO is not inherently unsafe, but there are discussions online about security boundaries in derivative software. Prime example of that is userspace "slicing" of GPUs - also known as VirGL (Proxmox exposes the option of VirGL integration in its menus when creating a VM).

The problem is that VirGL runs in userland and its developers have confirmed that it does not include security boundaries by default, and already assumes that other software has mitigations in place to protect it from theoretical privilege escalation attacks.

The safest solution in this case is to isolate it in a VM which is disconnected from the rest of OpenSwitch (or any other KVM-compatible networking interface) and then strictly use internal RPC mechanisms (for QEMU that's QEMUGuestAgent) to "pass-through" VFIO-like slices of the integrated GPU from the isolated Guest to other VMs.

There is on-going work to port virt-host-user to QEMU to get such functionality working, but it's alpha and seems to be somewhat hacky at the moment. Unfortunately, outside of enterprise RDMA-esque networks, there's almost no support for VFIO devices other than networking gear to be shared over IP/RPC.

_______

that is encouraging.  Here *everyone* will get them. Some 40k employees.

The VDI part, not sure if that will be required, but if not, its a way around the rules.  So im willing to bet they will, somehow.

What started as a joke at the office, found out i was actually foretelling the future.

On top of passwords, MFA, they are now going to issue USB pass-key devices, i guess keyed to your personnel ID.  ( tho i had those old key generator cards to the joke, its the same concept really just no typing)

Anyone dealt with these things?

If so..

• How rugged are they? Are we going to end up with lots of things breaking and people being screwed, having to drive in to get a replacement or something all the time? ( some cant.. they are across the country or even out of the country )
• I assume they work with windows and OSX just fine, but what about VDI from Linux or ChromeOS or web? ( unsure if VDI wil require it.. just random thoughts )
• What about local VMs, ( KVM in my case ) think just doing a USB pass-thru would be enough or will it detect ts not a 'real' port and freak out?

sorry its YT but this is an interesting, and not theoretical but real, discussion about AI worms being propagated via AI reading your mail, then getting false commands ( in effect ) to leak your data, and propagate to your friends.  All via zero-click actions.   ( at least zero click to you.. the AI did the 'click', in effect )

https://www.youtube.com/watch?v=4NZc0rH9gco

All the sites i have published go thru it. Both for SSL and for incoming name resolution. I only have one IP here at home.  All are separate VMs using its reverse proxy / port forward stuff.  ( not sure how you would run a site ON nginx i thought it was only pass-thru ) Right now, all have front end passwords via nginx to get past first, THEN the app password. ( paranoia .. )

• AI chat 
• AI images 
• Nextcloud ( frustrated discussions earlier about that.. issues with DoS floods )
• Guacacmole 
• The Village was, and if i get around to putting it back up, it will be again. Normally dont have the 2nd password layer on this.
• OpenSim ( using DivaGrid to give it a web interface ) no 2nd layer auth here either.
• JellyFin
• My service desk was, when i was still doing consulting. its gone now. i dont see that coming back.
• Fossil ( tho normally this server is off, dont need it often. but i keep the SSL cert up to date )
• And of course anything im testing with.. 

Tue Jan 02 2024 22:20:18 EST from IGnatius T Foobar

Do you have any actual web sites on your NginX or are you only using it as a reverse proxy?

 

I assume that NGINX native could, but im using an 'easy manage' version, unsure if it will do it, but i will look tonight..   But that said, having the little extra in between, makes me feel a little safer.  Its just frustrating i have extra hoops to  jump thru due to ass-hats.  NGINX is taking care of the name routing for me, not just the SSL.

These days, Traefik is the favorite for that sort of thing ... it plays especially nice with containers.  MetalLB is also a favorite; I've used it often because it can be automatically installed as part of MicroK8S (which I use heavily).

Do you have any actual web sites on your NginX or are you only using it as a reverse proxy?

The machine that runs www.citadel.org is running NginX.  Originally it was just virtualhosting a bunch of its own sites, but now it's also running as a reverse proxy for a few things in containers.

Normally i do it once a month, but could have easily forgot this summer. So might have hit that 3 month zone.  I just assumed that ( much like DHT ) there were a few well known entry nodes that everyone hits first, it and then collect more for next time once 'in'. 

Ill have to just be more diligent on doing monthly updates. 

Fri Nov 24 2023 08:59:40 EST from darknetuser

Typically, your client should pick a guard node (entry point) and use it for an extended period of time (say, 3 months).

If you take long between Tor sessions, it can be that yout Tor instance has outdated circuitry information and is trying to figure out the current state of the network.

TOR Question:  Do the official entry points change every so often? 

Reason i ask is i dont get on often, but did this morning just to get updates ( using the bundled Firefox thingie, not a service or anything, and all default settings ) and it refused to connect.  Everything was timing out affording to the log.  Wondering if my ISP was doing something, tried the snowflake bridge, again, timeout.  Tried another bridge set ( obfs ) and it did connect, then updated..

Now it works without bridges.

I would have thought that as long as the project itself was alive, the main entry points would be stable?

my place = my work place, not my house. Lost a rather important word there. 

Ok, ill skip F2B then.  I did have it running back when all i did was SSH in.  it was effective then, but i do realize that was a pretty simple use case too. If i end up going 100% vpn, i might look back and see if it has a plugin for that but wont spend much time.  VPN will work, just didnt want to go there and lose a few 'nice' things.

And for what its worth at my place, front end security is someone elses problem :)   And i believe they mandate capcha. We also block non regional IP addresses ( not perfect i know, but gets rid of a lot of the bots ).  But, the system i support, while is available on internet, is for our in-house network accounts only, mandated SSO/MFA so i dont have to f- with the outside world issues other than DoS, and again, not my team's problem. 

Thu Nov 23 2023 18:48:45 EST from darknetuser

If you think Internet sucks, wait until you need to deploy some crappy lame ecommerce app your boss tells you to, and then watch bots rape the live chat systems, the email contact forms and the registration forms. It is brutal. A trial run for one of these here with a basic captcha managed to get 200 bots register fake customers in 10 minutes or so.

Fail2ban has modules developed for use without reverse proxies, for the most part. Some applications have modules that support reverse proxies, but honestly, fail2ban is gonna need a lot of work in order to get adapted the proper way.


I have seen people use fail2ban by having the computer that is running fail2ban check the logs (served over NFS or syslog) and then ssh into the firewall to update the blacklists. No need to say this is serviceable but sucks cocks.

I assume that NGINX native could, but im using an 'easy manage' version, unsure if it will do it, but i will look tonight..   But that said, having the little extra in between, makes me feel a little safer.  Its just frustrating i have extra hoops to  jump thru due to ass-hats.  NGINX is taking care of the name routing for me, not just the SSL.

If i stick with web only, the double hop keeps me safe. and lets me continue to use things.  I am going to look into adding fail2ban or something to it however. Wont solve the problem but woudl help with the load the flood imposes.

Of course going 100% vpn fixes it too. But back to the 'extra hoop'.  And i lose the ability to publish to 'friends'. ( like pictures, chat )

Thu Nov 23 2023 12:17:56 EST from darknetuser

Maybe consider switching to a reverse proxy that can work transparently?


I am using a bunch of relayds as TLS accelerators. They serve as TLS endpoints. They take care of TLS certificates and renewals and also add HTTP headers to the connections that hit the app servers so the apps know they are behind a reverse proxy.

Since the apps know they are behind a reverse proxy and are given the IP address of the actual client that is initiating the connection beyond relayd, they can dentify abusers by IP. If that makes any sense to you.

Ah, and since the setup is transparent to the client then there is no breakage with non-web apps.

nginx is acting like a firewall, since i put logins on it ( but that of course kills native apps.. they cant do the double hop ).  But not yet looked into if i can do block lists on its own.  But the problem is that these IPs hitting me rotate, every 10th or so it changes, so my NC instance still gets hit too many times by the proxy, even if they were to get auto blocked at the proxy. 

Well back to my next cloud being flooded to the point i cant use it. 100s this evening, one bad login attempt right after another. I guess i have to put a 2nd login in front of it on the proxy. Blows me using native apps with it unless i vpn in ( or am on the wire here, but sort of defeats the purpose ), but at least i can access the web client. 

Frustrating.

Punycode URL fake address. Learned something new today.

it looks legit, browsers even tell you the address you think it is, but Unicode underneath it points somewhere else. ( always malicious )

ultimately, unless your IT/Security staff are morons or just dont care, that is the eventual outcome.

Tue Aug 08 2023 02:16:28 PM EDT from darknetuser

 you are screwed again.

scuttlebutt P2P. new one for me.

( ran across it on a forum talking about moving a DHT crawler source repository off github and onto a scuttlebutt hosted git.. as the founders are banned or something )

Our security team is over 40 people now i think

They love logs. 

Between that and us moving to a new ITSM platform, i may never need windows or a shop PC again.

Sat Aug 05 2023 11:22:57 AM EDT from IGnatius T Foobar

And then they blow the whole thing by permitting users to log in to Microsoft 365 from any computer.

Then i would go with option 2, or something similar.  Waste the bandwidth or other resources for the sake of stealth. 

Once upon a time due to a lot of restrictions, and similar 'performance' annoyances issues, i ended up doing a p2v so i could run the office computer on better/larger hardware, in effect.  I have a ( office bought ) MSDN license, so changing hardware the first time didnt burn me. ( later when we started staying home a day or 2 a week, pre pandemic,  i redid the office laptop as a host. just shuffled the vm back and forth when i had to come into the office ) May not work for everyone tho.. 

Sat Aug 05 2023 09:48:19 AM EDT from zelgomer

Do they pay you for after hours? If not id say f-it and find
something else to keep yourself occupied at night. Get a hobby.

Okay, but for the sake of argument only, let's say it was to be used during normal work hours too :)

In our case, they monitor ( and just learned, keep logs for months ) of all traffic. Restrict what you can run. Scan what you can run. Block ports. And you sign papers that if you cheat you get bounced out the door.

Do they pay you for after hours? If not id say f-it and find something else to keep yourself occupied at night. Get a hobby.

So this is a strange one. ( to me anyway )

We have an azure tenant. ( ya i know.. MS.. ick )

Our account people created an AD account for someone not in our forest, to access my stuff.  Attached Azure MFA to it ( required by me to get access to my stuff )

They made the UPN the remote domain ( with email attribute email the same even tho we dont host their domain ) and while it would work on-wire, supposedly that is not workable external as MFA it bitched about the account not being part of our tenant. Even tho the account was in our forest..  Change UPN to one of our domains, leave email alone, it worked ( and screws up my system as i assume UPN = Email but i worked around it )

Seems odd to me, its in our forest, who cares what we call it? I would think just being in our forest = being in the tenant 

( and of course over night the UPN reverted back to pre-change values and broke again.. )

Thought i mentioned it before.  Central Indiana 

Fri May 12 2023 04:28:25 PM EDT from IGnatius T Foobar

I don't know where you are.

If you ever make it near me, yell.. 

Thu May 11 2023 07:27:57 PM EDT from IGnatius T Foobar

 (like right now ... hello from the Atlanta airport) 

most of what i saw was IP blocks.  ended up with such a large table of blocks, connections started slowing down

i think im safe with vpn, and its transparent.  Unless someone comes up with a reason its bad that im not thinking of. 

Wed May 10 2023 04:46:38 PM EDT from darknetuser

2023-05-08 19:33 from Nurb432
In the past i did just this.  But, ran into 2 things

1 - i was not using key-pairs and just a login, so it was sort of the
same risk

2 - OpenVPN was transparent to all apps once connected..  and
automatically did key-pairs so i didnt have to f with that myself for
SSH. 

The advantage with SSH is that even if you are using password auth, there are so many tools for bruteforce prevention for SSH that you can grab any random one with not much effort.

In the past i did just this.  But, ran into 2 things

1 - i was not using key-pairs and just a login, so it was sort of the same risk

2 - OpenVPN was transparent to all apps once connected..  and automatically did key-pairs so i didnt have to f with that myself for SSH. 

Mon May 08 2023 04:57:50 PM EDT from darknetuser

Poorman's way of accesing internal web services that are behind a firewall is to have a proxy inside and use ssh forwarding to access said proxy. ssh has enough tools for blocking bruteforcers as it is and should be easy enough to defend. That is my approach for my personal stuff.

The office, that would work, but not from my phone.  

Mon May 08 2023 04:57:50 PM EDT from darknetuser

 If you connect mostly from one or two offices you may actually whitelist those IPs and set everything else default-deny.

This could be network room material too. but security concerns is prompting this :)   ( even rants or bottom feeders as these scumbags need beat with a bat )

So this week been getting hammered hard from script kiddies. More than normal. One now is hitting my nextcloud url ( i have Ngnix on the outside ) and flooding it with enough bad logins that the NC server is now blocking my proxy IP  ( since it has no way to know where this stuff is really coming from and all it sees is my internal proxy address ). Other ports being hit too as expected, but no effect as they were not open. But due to NC being offline in effect, last night i just shut all port mapping down and threw in the towel.

I'm thinking of just leaving my web services offline except on demand. But i would like to leave my OpenVPN server alive so i can still access my crap from the office or something.  

It is on the standard port, but sniffers could find it on an odd port so i figured why bother.  

In the bigger picture, how safe is this? You need a file to be able to connect, so its not like you can just randomly send id/passwords.   Sure, i still run a DoS risk even with nothing exposed, but what about the basic risk of publishing that way in?

I guess i could add a login on the NGNIX side ( i did that for my AI chat bot when i published it to play with at work ), but it still gives them an active port with a 'real' login to beat on.

And unrelated to the actual question, Interesting thing was that it was coming from various ports on their end but was hitting 80 on my end to hit the NC URL.. is that new or have i never noticed?  I have of course seen the random port to port scan, but not in this way where it does not match.  ( but i admit i dont keep up on this stuff. )

And i do wish i had 20 or 30k laying around that i didnt care about, to buy a couple of bigger GPUs..  Make things much faster.   And could load larger datasets. 

Be sure to buy a bottle of migraine tablets.

:)

Fri Jan 20 2023 06:48:28 AM EST from darknetuser

2023-01-19 19:01 from Nurb432
Ya, not worth the effort or pain you will receive. 

I think it is worth doing, if only for the learning experience. It also lets you write down in your CV that you have mastered your Postfix/OpenSMTPD/Dovecot kung-fu.

Ya, not worth the effort or pain you will receive. 

A few bucks to a hosting provider, done.  Yes  i know this was about zero trust... but in this day and age, 90% trust is good enough i think.  Most providers would be destroyed if they got caught doing bad stuff.

Thu Jan 19 2023 06:54:15 PM EST from IGnatius T Foobar

Right. It is very much true, you're not going to be able to reliably run email from a residential Internet connection like the lazy dweeb in the article tried to do. 

Seriously, if you're gonna use email, that's the way to fix the problem.

I recommend you read this first.

https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

consolation is its bots, not humans

Fri Jan 13 2023 07:44:42 PM EST from zelgomer

spy on your emails and serve you targetted ads.

its too bad end to end encryption of mail never became a thing. then if your host DID read it, they would only get garbage.

If you want to operate under zero trust, yes. that is your only option, self hosted domain.

Thu Jan 12 2023 06:36:05 PM EST from zelgomer

2023-01-12 22:24 from Nurb432 <nurb432@uncensored.citadel.org>
If you want anonymous and dont want to setup a domain.  how about
proton mail? Basic use is free .. 

Still requires me to trust that Proton isn't going to steal personal information that morons send me.

In fact, after giving it a few minutes of thought, I think that alone means I need to setup my own.

And I probably should do this, anyway, just for the experience (I still have only a vague idea of how email works) and for the vanity address. I never liked my public email username, anyway.

If you want anonymous and dont want to setup a domain.  how about proton mail? Basic use is free .. 

There are a few directories and bots out there.  Start with this perhaps.   -> http://paavlaytlfsqyvkg3yqj7hflfg5jw2jdg2fgkza5ruf6lplwseeqtvyd.onion/

I actually started with freenet, but saw a use for all 3...

Wed Jan 11 2023 06:12:46 PM EST from zelgomer

Maybe it's because I was exposed to I2P before I was to Tor, but for me it's the opposite experience. I use Tor to browse the clearnet anonymously, but I have no clue how to find hidden services on Tor.

I think its still of value, but it seems to me like TOR is also slowing down.  Unsure if its due to infrastructure reasons, or DoS attacks.

Reminds me of a sign at a junkyard i used to go to:  "Everyone uses used parts. You just drove in on them"

Tue Jan 10 2023 05:41:58 PM EST from zelgomer

If you set a shop subservice in which people may sell their used
underwear over UNcensored you will have this place full in no time.

Sell it?? Never! I'm still wearing it!

Not really looked at it for a long time, but seems onionshare now has chat and static page web-hosting....

Last time i messed with it, just provided a file drop/share. 

And, its all python, so for me that is a plus :)  And has both text and some sort of graphical management thing ( tho looks simple, not looked closely yet )   i thought it was some other language last time, and needed nodeJS or something installed. i cant remember now, but python is good. 

That was my thinking too, unless they did and he's never restarted. And as i'm no expert, so this may be a dumb question: Is blocking even supported in the base code? That seems sort of counter-intent of the project.

Sat Jan 07 2023 10:56:31 AM EST from zelgomer

I actually don't think they can, because you get a new b32 each time the tunnel is established.

its just the NSA inserting nodes "for your protection". Nothing to be concerned about, citizen.

Hmm didn't even know that was such a thing.  Makes sense i guess.

Mon Jan 02 2023 11:17:41 AM EST from IGnatius T Foobar

Is anyone else having trouble connecting to IRC2P? I haven't been able to connect in days. No response from the server at all.

Not sure it truly wastes their time, they enjoy the battle and is entertainment for them. 

Now, for people who truly want to make a difference, i agree.

Thu Oct 27 2022 04:17:59 PM EDT from darknetuser

Too many activists waste their time trying to pick people who is not and will never be one of them. 

it was long before that. Just not as overtly 

Wed Oct 26 2022 22:17:14 EDT from zelgomer

This is even one step further imo. "I have nothing to hide and I'm afraid the gestapo might think that I do. And by the way I think you're being a little hyperbolic to suggest the FBI is our enemy."

How long has it been since the FBI became the enemy of the people?  When did Waco happen?  When did Ruby Ridge happen?

"we see you purchased a package of meat 10 years ago.. we need to talk"

Right, i wast meaning the federation of some sort, just that it still supports it inside the system, even if its walled off, is good.

Ya, cant have holes in those walls, gotta contain your subjects and feed off them.  I took advantage of the openness between platforms, while it was still there. It was a great thing.  

PS, thanks for still supporting it.. 

Thu Oct 13 2022 09:57:03 AM EDT from IGnatius T Foobar

I tried connecting xmpp clients to citadel but found that a lot of
clients would not work unless the server offered TLS so I setup a

Needless to say, Citadel handles that just fine now :)

XMPP had so much promise when it was going to be *the* instant messenger and you'd be able to reach anyone on any service because they were all going to talk to each other.

But then the big services decided not to implement server-to-server, or to drop it if they had it. Eventually, Goolag and Fecesbook dropped XMPP entirely, preferring to restrict users to their walled gardens, because interop is bad for their business.

*sigh*

That is why i suggested he set it up for them.  After that, its zero effort.  ( hell i dont even know my login/pass on most things anymore. id have go to find it in my records )

And from above i dont think he cares about 'market penetration' its only for family, not finding new friends.  ( at least that is how i interpreted it )

Tue Sep 20 2022 01:33:58 PM EDT from darknetuser

Jabber/XMPP require the users to know their acess credentials. MOst modern users cannot do that anymore.

I am not joking. I tried deploying a test Jabber service and it was a massive failure.

Id think that would be a feature.  Reduce risk if your network is breached.

Mon Sep 19 2022 03:47:34 PM EDT from nristen

 

One of the new areas being worked on with XMPP is authentication including 2FA which concerns me especially around self hosted solutions because this can require connections to 3rd parties.

 

About 15 years ago I was first introduced to XMPP/Jabber when my former employer was using it to facilitate communication between SMS and 911 operators.

Not that long ago, I was looking for the best option for self-hosted im and was very interested to find all of the features being added to XMPP such as OMEMO encryption and voice/video calls.

I tried connecting xmpp clients to citadel but found that a lot of clients would not work unless the server offered TLS so I setup a Prosody server which works really well with low resource utilization.

One of the new areas being worked on with XMPP is authentication including 2FA which concerns me especially around self hosted solutions because this can require connections to 3rd parties.

Karl

dammit. keyboard is acting up worse today..  losing characters.  Whomever is capturing my keystrokes, dont keep them too!

User acceptance is one reason i suggested jiti . if he installs the client for them its brain dead easy to use. It stores your 'rooms' in history on the start screen so after the first time its just a click to get back to famiy.  And it has video chat, which so many people seem to like these days. ( and in my case, i like that i can self-host..)

but xmpp could be the same, regardless of self-host or not " here, let me set it up.. "

if i didnt want to run it myself, id still go with jabber.   some clients do support end to end..   and i trust those servers more ( like jabber.org ) than the 'social' providers  

And if you didnt catch the hint. citadel does that :) 

Why not run your own jabber protocol server? If they have to change anyway and learn new stuff, at least its under your control.

Or go all out and something like jitsi.   

Only if its FAR away from people.

People drive like idiots.

Sat Sep 10 2022 01:20:44 PM EDT from LadySerenaKitty

 

I also find driving to be relaxing.

Writing software can be relaxing.  It can also make one feel like a dumbass.  To quote myself from FreeBSD Discord:

"I am, despite some brain damage, still managing to be smart and intelligent. I only feel stupid because I am a software developer, and we teach a hunk of metal with literally no brains how to do somewhat intelligent things"

Source: https://discord.com/channels/727023752348434432/727023752348434436/1008935413790036028

I also find driving to be relaxing.

My problem is i got burnt out some 20 years ago.  "Make your hobby your job and you wont work a day in your life" 

Lies.  I lost my hobby and hate my job.

It was more than that for me. i'm an EE by schooling and electronics in general was a hobby. It was fun.

Somewhere around 25 years ago after i hit the wall, i realized that making your hobby you job was a farce. No, its not "you will never work again a day in your life" It was "you will lose your hobby and hate every minute of work"

Sure ill do what is needed, but its not fun anymore. None of it.

The first sign was the "great purge" of all my retro stuff. Then came some 40 years of books and magazines heading out the door...  

Tried so many times to get interested again, just doesn't happen and i end up with a dust collector. Its one reason i got rid of mostly everything. Funny, this week i just asked the guy i gave all my "components" to ( and scope, breadboards, bla bla )  if i could borrow a 1.5k resistor. Need to test a sensor on the jeep. Never dreamed id say those words "borrow a resistor"... 

I reached that point a long time ago. ( burnout induced ).

It usually is, and often it comes on very suddenly, even for people who were previously loving the complexity of their "home data center".

For me it was one late night in 2011 when I ran some update or another and a bunch of stuff broke.  And then my patience ran out all at once.  I deleted Asterisk and went through the house replacing IP phones with regular ones.  I deleted the iptables script on my main server and switched to the firewall built into my home router.  I deleted all of the complex X-10 integration and only used the remotes.

That's another thing.  Smart homes are for chumps.  Just turn the damn light on if you want it on.

I did notice yesterday that PI hole is blocking access to the DHT..  Magnets wont ever return anything, unless i swap out my DNS. ( my external vpn provider swaps in their own dns on the fly )

Must be a rule in there somewhere. But not sure i want to bother finding it since i dont run a DHT search bot anymore. 

I reached that point a long time ago. ( burnout induced ).

"sure, i could, but this is good enough"

You disappoint me. As a real datacenter architect you should be using CARP or relayd or HAproxy or whatever and use your second DNS cluster as a failover in case the first one bits the dust XD

I am among the best of them.  But as is so often the case with high level IT people, eventually you get to the point where you just don't want to spend a lot of time being a system administrator at home.  The time I'd have to spend putting together a world-class access network just to serve a family of four just isn't worth the time, the money, or the aggravation.  When I'm not at work I'd rather be spending the time with the family, not fixing their computer problems.

Besides, what's the point of locking it all down when my wife is on Facebook and my son is all over YouTube and my daughter is who-knows-where collecting the dankest memes of the day?

To make things easy and secure for me, I've moved the security perimeter downstream.  My main computer treats the home LAN as an untrusted network.  It has its own access controls and it runs its own DNS server (straight to the root servers, no forwarders).   And finally, I don't need a "home lab" because I have a development region in my data center.

All together, it lets me spend more time in the swimming pool and less time maintaining address pools.

in our shop they will just ignore  you. They are the worst team of people i have ever seen.   They ignore everything asked of them, even request for info on break-ins by our customers..  crickets. "we dont have to tell you what happened, or even that it did, now go away".   They even make secret changes to systems and dont run it thru the CMR process...  A few times its broken things "oh, we rolled back the change" "what change? wtf?"

Hell i have had a ticket in for nearly a week now, i lost Ethernet last week..  Figured they black listed me again. Not even looked at the ticket.

( today it started working again.. but i haven't told them this.. i want to see how long it takes them to get back with me )

I guess they are starting to roll out a 'service' on windows boxes that only lets you run whitelisted executables..   And its a long painful process to get one approved that isn't what they consider 'stock'. And i guess they are going to pull admin rights on the desktops too. it *has* to go thru this new thing.

I bet i lose access to fossil rcs

Aside from the chaos this will cause, their scanning crap takes 30% CPU ALL DAY LONG ( if you are lucky.. sometimes it more, and sometimes it eats SSDs .. )

it seems the WYSE system might be better, it has a wireless base station that hard wires into your network. not sure how its wireless signal is setup or if it has a local hard drive.  i'll have to look into it a bit more.

it wanted the email to send a confirmation.  the account on their system is also my email account (different password specific to cloudedge).

The system works pretty well. it gets whiney about the 50% wifi signal and sends me messages to fix it.  so far no red's out front surveilling me, unless you count the local cops.

daughter was in and out all day, the battery dropped to 96%.  at that rate i'll recharge in 25 days.

The chinese army is watching over you to protect you.

I picked up this camera for fun... you know, for experiments.  it's battery powered for $29.

I uses CloudEdge software (chinese army) and syncs up with the camera really fast.

Here is what you provide

email address, gps location of your camera (house), wifi network and password.

The camera detects events, stores images on a sd card.  but notifications come through the app, not your email.

so, im pondering how this system sends me alerts with images and video clips when im 50 miles from home (which it does thru the app)

maybe there is vpn established between a chinese server and the app and the camera posts the events.

no other network setting were needed pairing the camera with the app.

https://www.amazon.com/dp/B08L3RBF6P

in theory 1.1.1.1 is my secondary here, so if my pihole dies, it should ( should ) go there instead.

I have not tested that theory, tho i guess it would not be hard.  just turn it off :)

We are OK for DoS attacks and have enough stuff in place to mitigate that ourselves. This move is mostly for authentication reasons. This started when the that java log4j vulnerability came out.  They yanked it off the outside that weekend, and made it only available to internal network, and 'we need to make this use SSO before we put it back online" "but we some how have to support people without accounts too" . Why a current product in 2022 cant support SSO native, i dont understand.    A mix of on/off network, well that is hard to do, safely. i will give them that.  I assume the log4j problem was updated, donno, im not in that group and security team, well they are not forthcoming with information, even to people in their same org..

I guess there were around 10k employees that didnt have network accounts, as they dont need them. Complicating matters with the last minute change to mandate on-network access only. A side from other things, its used for timekeeping, benefits, general HR stuff, including contractor access as it also includes financial modules.. So we will have a 'mix' of users. But from what i hear, they are going to move the 'public' access pieces to a 3rd party system completely and will never go back on the sso requirement.

Rumor too is that if this goes well, ALL internet facing apps will have to use CF..  Even if you already do SSO..

And i guess its not a secret of what we use, its SAP's PeopleSoft..  So not some fly night thing that is 30 years old.

I cant give you details ( and even if i could, i probably should not say too much ), but i guess CF offers some sort of service to 'secure' external facing web apps. We are migrating one of our largest.  I guess once the switch is flipped you access it thru their 'stuff' which tunnels back to our internal network, i assume via VPN.

ya, pretty vague, but i'm not part of the teams involved, nor in testing..   BUT it seems like a bad plan to me. 

Thu Apr 14 2022 06:25:59 PM EDT from darknetuser

Cloudflare is a Google-grade threat to privacy at this point. If your ISP is not a very, VERY big one, Cloudflare is more dangerous.

They get to see more traffic than anybody else with few exceptions.

I personally tunnel my DNS queries to a server I actually own. If you are concerned you can use an encrypted tunnel to an Opennic server, so neither Cloudflare nor your ISP can see what you are doing. Reaching that point you may as well be using Tor, but for the regular Internet it may suffice.

My personal opinion is that its a wash. Unless you are running on a semi-anonymous vpn, someone knows, somewhere.

BUT, i suppose cloud-flare is more disconnected from you than your local isp.

Fri Apr 08 2022 09:37:37 AM EDT from zelgomer

Updated Firefox recently and noticed they now enable DNS-over-HTTPS by default. Do I want to leave this enabled? Could you please share your opinions of it? I'm on the fence. On the one hand, my ISP can spy on my DNS queries. On the other hand, now Cloudflare can spy on my DNS queries. Who is the lesser of the two evils here? Is this a further move toward total web centralization?


I need to read some good conversation on the subject, preferably both sides. I haven't been able to turn up anything helpful yet in my own searches.

One drive auto sync is trying to do the same thing. Cant comment much about it yet however. We just started doing that at the office.

Wed Jan 26 2022 02:57:32 PM EST from IGnatius T Foobar

PD is wrong about Exchange. 5.5 is the worst of them all. The one after that was also the worst. After that it went into a bit of a decline.

Roaming Profiles was a good idea but they never quite got it right. On a real computer you just remotely mount /home and everything just sort of works the way you expect on every computer involved.

In principle Roaming Profiles is a good idea.  In practice, not so much.

Mon Jan 24 2022 11:31:49 AM EST from ParanoidDelusions

Ig is wrong about Exchange. 5.5 was an awesome platform... 

But Microsoft's print services have sucked all the way back to NT 4. Roaming profiles and remote printers has always been an absolute disaster, and the Spooler causes probably 85% of Desktop support problems industry wide. 

 

 

Ig is wrong about Exchange. 5.5 was an awesome platform... 

But Microsoft's print services have sucked all the way back to NT 4. Roaming profiles and remote printers has always been an absolute disaster, and the Spooler causes probably 85% of Desktop support problems industry wide. 

Fri Jan 14 2022 17:59:53 EST from Nurb432

oh and the print spooler thing, we took care of that the day it was known. ( it was rather painful.  You had to call a field tech out to add a printer.. )

oh and the print spooler thing, we took care of that the day it was known. ( it was rather painful.  You had to call a field tech out to add a printer.. )

Interesting. 

Tue Jan 11 2022 18:47:43 EST from Nurb432

No, not even close. 

What i can say it was vulnerabilities built into an application several entities like us were using.  It was inserted by the developing company, they had an insider from china who did it, so it wasn't 'planned' by the company.

It used several general exploits to spread, which were patched by everyone else that got hit. 

 

Tue Jan 11 2022 06:15:52 PM EST from ParanoidDelusions

You got hit by that ransomware - and if you're a Windows shop, it came in through a print spooler exploit. 

Tue Jan 11 2022 14:48:12 EST from Nurb432

So that network compromise i talked about a month ago. I guess our security team has just announced " no, we will not be answering any questions and you must cancel the requests from our customers for explanations. " 

WTF. we are a freaking public entity. 

 

 

No, not even close. 

What i can say it was vulnerabilities built into an application several entities like us were using.  It was inserted by the developing company, they had an insider from china who did it, so it wasn't 'planned' by the company.

It used several general exploits to spread, which were patched by everyone else that got hit. 

Tue Jan 11 2022 06:15:52 PM EST from ParanoidDelusions

You got hit by that ransomware - and if you're a Windows shop, it came in through a print spooler exploit. 

Tue Jan 11 2022 14:48:12 EST from Nurb432

So that network compromise i talked about a month ago. I guess our security team has just announced " no, we will not be answering any questions and you must cancel the requests from our customers for explanations. " 

WTF. we are a freaking public entity. 

 

You got hit by that ransomware - and if you're a Windows shop, it came in through a print spooler exploit. 

Tue Jan 11 2022 14:48:12 EST from Nurb432

So that network compromise i talked about a month ago. I guess our security team has just announced " no, we will not be answering any questions and you must cancel the requests from our customers for explanations. " 

WTF. we are a freaking public entity. 

So that network compromise i talked about a month ago. I guess our security team has just announced " no, we will not be answering any questions and you must cancel the requests from our customers for explanations. " 

WTF. we are a freaking public entity. 

Several of my bookmarks gave me errors ( i dont get on often so it might have been a while, or last night.. who knows ) but a couple i 're-found' ( like proton mail ) and they were different links, but now worked. 

I know that was on the horizon, so i figured that is what happened.

I have not been keeping up, i assume that tor v2 addresses are now dead? 

its sort of a trade-off.  Noting comes free..  

So far, the trade-off to be a google captive works out, for me at least.  Next month, next year? Who knows. But today, its ok.  And i do have that netxcloud install out on my farm ( even got SSL to work so it can do video chat ) and it works well, its tempting, to switch. But, ya, you lose some things that are convenient. 

"There is a vulnerability and we need to force everyone to use VPN to access this server, not the internet"

"great, lets drop the external DNS record, that will do it"

Really? How stupid can you be?  Some of us had cached DNS and could still hit it externally.. bit of research and that was ALL they did.  

I believe that is true, but i dont think its been tested at the SCOTUS yet.

And the court can compel you. Once they demand it, you sit in jail in contempt until you do. 

Fri Dec 17 2021 07:03:01 PM EST from zelgomer

Yeah, not a big fan of biometrics. I've also heard it claimed before that in the US you can't be compelled to divulge passwords or PINs because it violates the 5th, but you can be forced to provide biometrics. Don't know how true that is.

Guy at work got his hand worked on.  They put it in a cast.  The hand he used for finger print scan.  No phone for him now. 

Fri Dec 17 2021 12:04:40 AM EST from ParanoidDelusions

and it will use biometrics - 

Google's is good enough. 

But, Keypass is also a solid choice, if you want to manage something local. There is an Android version, and it will use biometrics - which makes it far less likely that you'll lose or forget your master password. 

Thu Dec 16 2021 19:49:05 EST from Nurb432

Im sure ill have stones tossed at me, but i would imagine that google's is 'good enough' if you are going that route. 

Im sure ill have stones tossed at me, but i would imagine that google's is 'good enough' if you are going that route. 

Responding to this shit as an emergency response consultant is awesome. 

Doing it for the company you work for is misery. 

It is so strange how that works. It isn't the work I mind, it is being compelled to fix something of MINE that someone else broke that I think makes it bother me. 

until you shut down several perfectly fine critical servers that effect citizen facing applications and we end up on the news. 

The CVE said 2.x  logically, even without reading, 1.x was ok.  

Well, seems since our security team does not do research and just knee jerk reaction, they quarantined my PC.  

Took me almost no time at all to determine what was really going on as i read the damned CVE   All they did is search PCs for file with a name of log4j, and didnt bother with what it really was, or what version it was....  No consideration that the real issue was on servers... 

( and course mine is NOT vulnerable. being a desktop, and a 'good' version..   it didnt effect 1.x versions at all.. )

Great. Another long weekend for a lot of people.

Seems its part of crystal reports designer, so im getting bitched at by security. 

Cant go into much detail until its fully remediated and made public, but got hacked at the office again this weekend.  Several servers had to be unplugged  ( virtually. they were not physical servers )

Today they pulled our PDC out of commission..  all day to rebuild the damage.  i have never unexpectedly lost a PDC on a network i ran and it was always planned, but i thought in the old days this was less painful, but i guess with how security has this setup its not as painless as it was.. ( even involves secret rooms and air-gaping.. things even i had not heard about until today )  And it didnt save it from happening either. so the extra pain was pointless.. 

"Contractors working with/for the Chinese government" is the last rumor i heard. So same as last time we got hit. 

Freenet, tho it seems they have gotten 'pretty' too, at least does explain why they are there upfront. 

Mon Nov 29 2021 10:35:00 AM EST from darknetuser Subject: Re: mysterium

The Tor website used to be much better. Back then the logo was an actual onion, instead of an abstrabt representation of an onion, they explained the core ideas and why it was sueful pretty much in the homepage.

The i2pd website at least tries to explain what i2pd and i2p are. It is not super helpful but at least they don't hide behind a shitload of corporate marketing.

Same thing with the official java I2P implementation, really.

Ya that is why i came back a few mins later myself and said to ignore it :)

It started out ok, but got bad , quick as i kept reading.  No, i'm not going to be running a *mandatory* out-proxy, or *have* to pay to use another person's proxy.   

IPFS is still a better idea.

Sun Nov 28 2021 08:54:05 AM EST from zelgomer Subject: Re: mysterium

As soon as I notice the website of a project has been designed by one

of those UX masturbation morons, I send the project to /dev/null.

Thanks. I did the same thing but I didn't want to come across as rude or stupid. I gave it an honest five minutes trying to figure out what it was. All I learned was that it was an "ecosystem," so I guess it's a bundle of several technologies that they're trying to sell (maybe figuratively or maybe not, I'm not sure) as a package.

Five minutes isn't very much time, but it seems like after five minutes I should at least know what I'm getting into. Imagine taking five minutes to read the abstract of a paper and still not knowing what topic the paper is going to cover.

Slight tangent, but I got the same sense from Matrix. It looks interesting to me, but it's way too hard to get to the meat. And once I did get to the meat, it looked a little too "webbish" for me. I don't get why everything has to be so over-built. What ever happened to KISS?

Actually, reading more, not a fan. Just ignore this :)

Sat Nov 27 2021 08:27:55 AM EST from Nurb432 Subject: mysterium

Ran across this by random.   Seems interesting. But its not well known. Any opinions?  https://www.mysterium.network/

 

Seems a bit like the interplanetary file system project, but on a blockchain instead of DHT.

 

 

Ran across this by random.   Seems interesting. But its not well known. Any opinions?  https://www.mysterium.network/

Seems a bit like the interplanetary file system project, but on a blockchain instead of DHT.

Agreed. The Citadel *is* the easy part - and it has improved since I forced it to run on a Pi 3B+. Tremendously. 

Fri Nov 19 2021 14:42:38 EST from zelgomer

The next thing we have to figure out is how to make this kind of thing

*easy*.

Well, to be fair, I think it is pretty easy today. Everything about my experience that wasn't easy was self-inflicted because of my own neuroticism.

Cant go into a lot of detail ( partially i dont know, and what i do know i cant say much beyond that it happened, which is public info.. )  But apparently our health agency got one of their major DBs hacked last week with a huge data leak. Turns out its a commercial package that most, it not all state health department uses across the country.  Several other states got hacked about the same time or just before us.

The US vendor used Chinese contractors, and yes, they added backdoors it turns out.

You would think in this day and age, we would be smarter than this.

I know its a bit OT, but that is how my Jetsons run.  They boot off SD then flip root over to whatever huge device i have attached to them ( be it usb, m.2, sata, whatever, all depends on what the carrier board supports )

Gives me more/faster storage, saves the SD from all those writes, and its a real pain in the neck to change booting on these things since they are all 'dev' SOMs and not 'production' SOMs that have built in eMMC.

Mon Oct 25 2021 11:32:01 AM EDT from IGnatius T Foobar

This is like something I did about six years ago when I needed a quick NAS to store offsite backups. I built it on a Raspberry Pi 1B+ and then moved the root partition to a USB-attached hard disk, leaving only /boot on the SD card. It ran that way for about three years before I got a bigger machine and didn't need it anymore.

I guess like everything. Once the 'unwashed masses' get in, it all goes to hell and stoops to a new level of "stoopid".

Mon Oct 25 2021 06:11:26 AM EDT from darknetuser

Your average i2p user is more savvy than your average end user. Back in the days when there were popular XMPP servers inside I2P, people just configured their tunnels and joined up. Now everybody seems to be in IRC. Or torrenting movies.

That sucks, man. Sorry. I ran a Citadel on a Pi for over a year and never had a problem - but... solid state data usually doesn't just *slowly* die... 

Tue Oct 19 2021 10:59:19 EDT from IGnatius T Foobar

*exhale*

Ok, I managed to save /var/lib/i2p/i2p-config from the SD card. This rescues the keys and configurations while I get the machine rebuilt. Pi 3 can boot from USB so I'm going to use a real hard disk this time.

I stopped playing around with I2P... can't even remember how I had it set up now. Think it was on the Rpi 400. I'll look into it. It sounds like it is complicated to get connected to Uncensored via I2P, though - I mean, beyond the normal level of complication? 

Mon Oct 18 2021 23:16:01 EDT from IGnatius T Foobar

Ah, ok ... I was wondering how there could be sites featured in the router's main page if there's no DNS. It appears that my address book is "subscribed" to http://i2p-projekt.i2p/hosts.txt

I wonder how hard it is to get into that list. I'd like to be on it :)

In the mean time, please keep using Uncensored via the I2P connection if you can. I'm relying on you guys to supply me with information on how well it's working. I don
't consider my own experience to be valid since I'm on the same router that's providing the service.

We have to make a determination about how much testing is required before we can feel confident making big announcements to the I2P community.

A lot of us are patiently waiting for that :) 

Sun Oct 17 2021 05:55:44 PM EDT from IGnatius T Foobar

And I can't afford another side quest -- webcit-ng has waited too long :)

Cool, saves me the trouble. i was about ready to start setting I2P up again. Been busy cleaning all morning. 

Sun Oct 17 2021 11:55:56 AM EDT from zelgomer

Hello, coming to you via i2p!
Yes, setup was exactly as you described. I created a new tunnel, pointed it to that address, and then connected with telnet, worked on first attempt.

that would be my understanding ( only used web on it before, that is mostly magic, just proxy settings in the browser ).

Ill give it a try myself tomorow. Tho im sure someone else will beat me to iit

Didn't realize it was using JS ( not paying attention enough i guess )

So, ya, its a non-starter for darknet.

Ah Gopher.  And Archie.. and UUCP, and usenet... The good old days before the net was ruined by too much commercialism and communism ( not that kind, the kind where 'commoners' flood the gates ). Back when men were real men, women were real women and small furry creatures from Alpha Centauri were real small furry creatures from Alpha Centauri.

And i still used my AtariST

.

Agreed on JS being frowned upon on any dark-network, but i do think most ( not all, just most ) people these days prefer HTML over TTY. 

Thu Oct 14 2021 11:38:04 AM EDT from darknetuser

Eepsites are ok as long as they don't require javascript. If they require javascript they will shunned and mocked and distristed and pissed on.

IMO a text based interface is a better fit.

Ya. 1:1, just like TOR.

I think it would be a mix.  Most people are used to web interface, but if you are REALLY hard core paranoid, text removes the browser leakage from the equation.

I guess if you had to choose, id go with web.

This isn't too different from how I run I2P.  Just for the fun/learning experience of it, my setup is sort of a home-grown whonix.  I have a VM where I run I2P and TOR with two NICs: one faces the rest of my LAN and has WAN access, and the other one is connected to a virtual bridge.  Then I launch a second VM whose only NIC is connected to the virtual bridge, and he is served DHCP from the first VM which acts as his gateway.  I've exposed a select few I2P services to the "workstation" VM, and then any other traffic from that VM is routed through TOR.

Effectively the same situation, except no Raspberry Pis or VLANs.

I always ran my apps on the same machine, but no reason that wont work.

if i had not made mistake #2 in my life and stayed with EDS back in 1990, id have been in that sort of boat. I would have a a butt-ton of money, and retired at 40.

But nooooooo i was a freaking dumbass kid and couldn't see that far down the road.  

Sun Aug 29 2021 07:31:34 PM EDT from IGnatius T Foobar

Here in New York if you are young and uncommitted and have decent IT talent, the thing to do is work IT for a financial firm. Big, small, or in between, doesn't matter. They work you to the bone and pay you stupidly good money.
Most people who go this route burn out in about ten years. So if you're smart enough, you do the ten years and invest the money properly, then you can settle down and get married and have a really good financial base while working a more sustainable career.

It wasn't my path, as I already had a fiancee and a job offer waiting for me when I graduated. But it would have been interesting.

I mean, there was significant risk in our movie to Ohio - and we ultimately lost $100k on that move. But in the long run, because of that choice, we came out far ahead. For now. 

It doesn't mean to just rush in way over your head and start swinging blindly hoping to get lucky, though. You use some strategy and planning and carefully put it all on the line.

I don't think you risk "losing it all" - either. You risk "ending up where you started." 

Like most adages or idioms - people twist it to justify *bad* decisions. The corollary to "The bigger the risk, the bigger the reward is," 

The more you put on the table, the more likely you are to lose it. 

Thu Aug 26 2021 16:51:01 EDT from Nurb432

I have heard it more than once, if you dont take chances of losing it all, with no safety net you will never really make it big. 

 

Thu Aug 26 2021 12:18:42 PM EDT from ParanoidDelusions

No balls, no glory. 

 

I have heard it more than once, if you dont take chances of losing it all, with no safety net you will never really make it big. 

Thu Aug 26 2021 12:18:42 PM EDT from ParanoidDelusions

No balls, no glory. 

 

On the other hand, I could have launched a successful business on the coat-tails of a guy who ended up owning a Hilton property, among a lot of other things. 

No balls, no glory. 

Wed Aug 25 2021 19:29:26 EDT from Nurb432

Yes, this has burnt me more than once, and not just career. And yes, i also did not learn and would be doomed to repeat.

I did some really stupid things when i was young, and i got lucky.  Since then the 'safe' path has been my choice.

Wed Aug 25 2021 07:06:20 PM EDT from ParanoidDelusions

 I went for a more conservative career path with less risk and less reward. I'd probably do the same again, if I were back in the exact same situation today. 

 

 

Yes, this has burnt me more than once, and not just career. And yes, i also did not learn and would be doomed to repeat.

I did some really stupid things when i was young, and i got lucky.  Since then the 'safe' path has been my choice.

Wed Aug 25 2021 07:06:20 PM EDT from ParanoidDelusions

 I went for a more conservative career path with less risk and less reward. I'd probably do the same again, if I were back in the exact same situation today. 

 

Sacramento Restauranteur "Randy Paragary" recently passed away at 71. 

In my early 20s, he was just starting his restaurant empire. He had Paragary's, Cafe Bernardo, and was opening up a Mexican themed place called El Centro. He was the first wave of San Francisco cuisine putting Sacramento on the Foody map as a city with world class city night life. 

And he came to me to get him cheap computers for his places. Anyhow, I ended this trip in his downtown Hilton hotel property. 

But back then, on opening night of El Centro, things went WAY off the rails and their system ended up fucked. His manager threatened to ruin me. He was pissed at me. 

I backed out on doing business with him. After he cooled off, he came back to me and said that he over-reacted - his manager over-reacted - they wanted to keep doing business with me. I told him, "You're a big fish in a real rough ocean, and I'm a guppy in a bowl on a shelf. It isn't safe for me to do business with you." 

Tue Aug 24 2021 17:40:02 EDT from Nurb432

I passed up a Linux/security gig once out in Colorado   3x my current salary.   The 'it guy' was a good friend of mine and they were branching out into Linux and away from windows, for cost/security/performance. This was late 90s.

I didnt want to move, and liked where i was at.  The move, after it was all done, i didnt even need to be there often. Short sighted on my part.  Remote in for management, hire a monkey to rack new servers.  Fly in when things dont work right, and to check in on things.

They were making so much money they could not spend it all.  They were a streaming service, that did on-site filming of their product.    I guess he had to go on-set often while they were filming, and help with tech issues with cameras and stuff.  Took a toll on him, and couple of years later he 'found god' and left. Would have left me as IT director with endless budget.  Would not have bothered me in the slightest, i kick myself for not taking him up on the offer.

No, it was not Netflix, and you can can guess what industry it was. Not for everone, but it was legal.

I passed up a Linux/security gig once out in Colorado   3x my current salary.   The 'it guy' was a good friend of mine and they were branching out into Linux and away from windows, for cost/security/performance. This was late 90s.

I didnt want to move, and liked where i was at.  The move, after it was all done, i didnt even need to be there often. Short sighted on my part.  Remote in for management, hire a monkey to rack new servers.  Fly in when things dont work right, and to check in on things.

They were making so much money they could not spend it all.  They were a streaming service, that did on-site filming of their product.    I guess he had to go on-set often while they were filming, and help with tech issues with cameras and stuff.  Took a toll on him, and couple of years later he 'found god' and left. Would have left me as IT director with endless budget.  Would not have bothered me in the slightest, i kick myself for not taking him up on the offer.

No, it was not Netflix, and you can can guess what industry it was. Not for everone, but it was legal.

So speaking of security... 

I did a 6 day gig, several 12-13 hour days, minimum 8 hours/day pay baseline IT Crisis Mitigation gig last week in Northern California. 

My boss here in Arizona used it as an opportunity to fire me despite our agreement at the start that I needed a very flexible, part time gig. 

I made more in an hour than I make in a day at his job. I've paid off my car until Feb of 2022 and have enough left over to make the payments again each month through that period. 

It was an opportunity to make nearly $2000 a day, helping out a person I am professional friends with, who needed someone he could trust, in my home stomping grounds, with all expenses paid, meals and 5 star hotel rooms, upgraded mid-sized rental car, San Jose, Santa Cruz, Stockton, Vacaville, Sacramento... Business class airfare there and back and the opportunity to see my friends and family over the weekend and eat at places I love that aren't anywhere else but where I grew up

So, large corporations don't really do any better I guess. Maybe the thing to do is to be the outside consultant and only work once everything blows up and there are interesting and engaging things to do and it means long, hard hours getting them done on a tight schedule. I suppose there is a lot less stability - but regular IT work gets me biting my own neck. 

And all outsourcing does it shift it to someone outside of your organization. The cost still gets passed on, the failures and breaches still happen - the outside specialists get called in, the work backs up, the business flow is disrupted just the same. 

You're just paying someone else outside of your company to handle it and make it FEEL more transparent. They've still got to make enough to cover those inevitable scenarios - so it is built in to your upfront costs. 

No. 

Mon Aug 23 2021 04:15:25 AM EDT from darknetuser Subject: Re: Pegasus

Does that mean that if you are a masochist, you get to tie people to a post and flail them while telling them they have been bad and deserve a punishment?

thanks,  i've read all the old posts...

Sat Aug 21 2021 05:42:49 PM EDT from Nurb432 Subject: Re: Pegasus

Agreed, but some of us dont need a deity to be moral. Just treat people as you want to be treated. Its how i live my life. ( but dont want to go too far down that path in this room.   im trying to be good :) ) 

Sat Aug 21 2021 11:20:08 AM EDT from IGnatius T Foobar Subject: Re: Pegasus

Without morality, everything is permitted.

 

Agreed, but some of us dont need a deity to be moral. Just treat people as you want to be treated. Its how i live my life. ( but dont want to go too far down that path in this room.   im trying to be good :) ) 

Sat Aug 21 2021 11:20:08 AM EDT from IGnatius T Foobar Subject: Re: Pegasus

Without morality, everything is permitted.

For example - without China and North Korea and Cuba to measure ourselves again, how would we know if we were doing better or worse? You could claim that we would implicitly know we were doing better because we are better - but without a benchmark to measure against - if we were doing terrible - it would be VERY difficult to determine. It would just be "what we knew". 

"If God did not exist, it would be necessary to invent Him."   --Voltaire

Without morality, everything is permitted.

"These so called "benchmarks" of "human rights" are just the rhetoric of oppression employed by the bourgeois capitalist pigs to ensure that the patriarchy remains in undisputed power!" 

Thu Aug 05 2021 07:52:47 EDT from LoanShark Subject: Re: Pegasus

2021-08-05 01:30 from ParanoidDelusions
Subject: Re: Pegasus
The Tao doesn't exactly teach "go with the flow." I mean, it teaches
that the flow is there, and that the counterflow is there too - and
both are necessary and that a harmonious balance is ideal. 

For example - without China and North Korea and Cuba to measure
ourselves again, how would we know if we were doing better or worse?
You could claim that we would implicitly know we were doing better
because we are better - but without a benchmark to measure against -
if we were doing terrible - it would be VERY difficult to determine.

In MY one-world-government socialist utopia, we won't have that problem, because I'll shoot anyone who starts talking about benchmarks.

The Tao doesn't exactly teach "go with the flow." I mean, it teaches that the flow is there, and that the counterflow is there too - and both are necessary and that a harmonious balance is ideal. 

For example - without China and North Korea and Cuba to measure ourselves again, how would we know if we were doing better or worse? You could claim that we would implicitly know we were doing better because we are better - but without a benchmark to measure against - if we were doing terrible - it would be VERY difficult to determine. It would just be "what we knew". 

Tue Aug 03 2021 19:53:55 EDT from darknetuser Subject: Re: Pegasus

2021-08-02 15:48 from LoanShark
Subject: Re: Pegasus

2021-07-26 22:11 from ParanoidDelusions
Subject: Re: Pegasus
Evidently India has been fucking with the Dahli Lama because China is

trying to control who the next one selected will be... because...
politics. Bunch of Monks running around with compromised iPhones and

Android devices.

Tibet and shit.

gross, the way China wants to stamp out organized religion. They
justify their takeover of Tibet on the rationale that the monks were
spiritual charlatans, exploiting the population.


Guess what? Now there's just a different set of exploiters.

Sure. I have heard there is a list of "acceptable" religions to follow in China, such as Taoism (follow the events and don't fight your circumpstances, of TAO WILL CRUSH YOU). Stepping out of the allowed list is bad for you.

Just ones that are not theirs.. 

Mon Aug 02 2021 03:48:34 PM EDT from LoanShark Subject: Re: Pegasus

gross, the way China wants to stamp out organized religion. 

Evidently India has been fucking with the Dahli Lama because China is trying to control who the next one selected will be... because... politics. Bunch of Monks running around with compromised iPhones and Android devices. 

Tibet and shit. 

Sun Jul 25 2021 09:47:20 EDT from Nurb432 Subject: Pegasus

Been reading about this.  not good.  

I guess you can scan for it ( and i think others ) by using some tool funded by people like Amnesty international. 

https://github.com/mvt-project/mvt

Been reading about this.  not good.  

I guess you can scan for it ( and i think others ) by using some tool funded by people like Amnesty international. 

https://github.com/mvt-project/mvt

Even if you dont have it enabled, with Vpro, dont be surprised if you actually do anyway :) 

Amazing how they snuck that into pretty much everything modern and no one really noticed the HUGE hole it was until it was too late...Putting effectively another computer at a lower level that has access to *everything* and never turns off, cant be a good idea to anyone, other than those wanting the control.

Tho it did quietly make minix the most used OS on the planet for non-mobile devices.

Thu May 06 2021 10:53:24 AM EDT from ParanoidDelusions

I'm going to have to research this. I don't think I've got push firmware enabled on the Dells I own. They don't make it clear in the article if a remote attack can be initiated against the firmware - or if you need physical access. 

@darknetuser

If I were to make another attempt at I2P, is it safe to say you're not using it and I won't break your workflow?  I think the answer is yes but I wanted to make sure.

I'm going to have to research this. I don't think I've got push firmware enabled on the Dells I own. They don't make it clear in the article if a remote attack can be initiated against the firmware - or if you need physical access. 

Damnit.

Hundreds of Millions of Dell Users at Risk from Kernel-Privilege Bugs

Office 365, Adobe Creative Cloud - OS X, Windows *and* Linux - these are ALWAYS throwing down new security updates. My Synology is always throwing down new updates - and most people have enough systems doing this that they can't regression check them all before applying them - and the industry spits out this narrative that you HAVE to do it - or your system *is* a target. 

I don't know. I just think the conventional wisdom on aggressive, constant updates is a flawed approach. 

Tue Apr 27 2021 14:53:30 EDT from Nurb432

It depends on the vendor

In my case with the app i support, we only get 1 upgrade a year for free.  So, they wont be doing it without our our knowledge.  And any hot fix for issues we run across that we cant wait on, gets applied to our test system first, for us to sign off on before its scheduled to be put in prod.

 

Now, stuff like O365, ya, its a constantly moving target.

Mon Apr 26 2021 11:48:20 PM EDT from ParanoidDelusions

Doesn't this point out the flaw with cloud based - always latest update - software? 

I think there are so many things being updated so frequently that the odds of this happening outweigh the majority of "security updates" that roll out rapidly. 

 

It depends on the vendor

In my case with the app i support, we only get 1 upgrade a year for free.  So, they wont be doing it without our our knowledge.  And any hot fix for issues we run across that we cant wait on, gets applied to our test system first, for us to sign off on before its scheduled to be put in prod.

Now, stuff like O365, ya, its a constantly moving target.

Mon Apr 26 2021 11:48:20 PM EDT from ParanoidDelusions

Doesn't this point out the flaw with cloud based - always latest update - software? 

I think there are so many things being updated so frequently that the odds of this happening outweigh the majority of "security updates" that roll out rapidly. 

 

Doesn't this point out the flaw with cloud based - always latest update - software? 

I think there are so many things being updated so frequently that the odds of this happening outweigh the majority of "security updates" that roll out rapidly. 

Sat Apr 24 2021 20:24:17 EDT from zooer

Backdoored password manager stole data from as many as 29K enterprises

https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/

Backdoored password manager stole data from as many as 29K enterprises

https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/

VM and block all ports other than TOR or freenet or I2P.  

Wed Mar 10 2021 14:33:16 EST from darknetuser

If you want to interact with regular clearnet services, the following solutions take a "secure by default" aproach:

I set up i2p on my Pi400 - and it scares me, because I don't know that I'm doing it right, and it doesn't really hold your hand through holding it right - so it is kind of a novelty. I'm getting to sites that I can't get to normally, through regular methods - but I don't know that I'm leaking traceable information. 

And that seems to be the problem with these solutions - they need a reliable sanity check that says, "The Ayatollah or President Xi is not going to see you posting this because you're not making a stupid mistake that is easy for a noob to make, citizen of an oppressive regime." 

Which seems to be growing more important here in the US, too. Some Facebook loony stalked me OFF of Facebook. I had his personal address in Yuba city and everything else his metadata was leaking within 20 minutes of him starting to harass me - but still. I'll post more details later - it is an interesting story. 

Wed Mar 03 2021 09:27:26 EST from darknetuser

I think if I used tor I would probably set up a proxy config in my

regular browser to send all ".onion" requests to the correct proxy

instead of needing to use another browser. Same with .i2p, I guess.

And that's probably the wrong way to do it from an ultra-privacy point

of view.

Yes, that setup is very broken.

First if you visit an i2p site which has some resource loaded over cearnet, your computer will fect both the i2p and the clearnet components of the page at once.... the i2p part over i2p, and the clearnet part over clearnet. Which is very very bad.

Also, when you use the same browser for both things it is hard to forget which configuration you are using at a given time. This is, there is no clear indication when you are fetching results in the clear or not, so if you are tired it is easy to mess up.

Yeah... encryption and security has gotten very good on consumer grade devices. Intel had boxes full of password encrypted hard drives in 2003, pulled from ThinkPads. 

Mon Mar 01 2021 06:21:50 EST from darknetuser

2021-03-01 05:24 from triLcat
Not sure if this is the right place... but a friend died, leaving
basically everything important stuck in a computer that's password

protected, firewalled, and other layers of security.  

His kids need access to his financial information (and other stuff,

but mainly that). 

 

Anyone here able to do that kind of thing? (The computer is in NY) 

Do you have phisical access to the computer?

I have cracked some computers that used **heavy** full disk encryption, but only because the guy who had forgotten the password remembered most of it. The typical situation in which the guy says "I know the password started by "paypalsucks", and then it had a number, or maybe three, and ended with a special character which I don't remember.

If you have access to the computer directly, is it full disk encrypted? Which operating system (and version) does it run?

Not sure if this is the right place... but a friend died, leaving basically everything important stuck in a computer that's password protected, firewalled, and other layers of security.  

His kids need access to his financial information (and other stuff, but mainly that). 

Anyone here able to do that kind of thing? (The computer is in NY) 

I had forgot about those people.  invasive SoBs

Tue Feb 23 2021 21:44:00 EST from LoanShark

My mom was talking about this stuff to me a month ago. It sounds like you're talking about LexisNexis' verification system.

She had to get through this process, and it was asking her about me, and it was blocking her. It would ask her things like whether I've ever been associated with her most current address, or, I don't know. So she started giving it the wrong-but-plausible answers just to get through the process, and now I wonder if it will take those as correct, and now *I* have to give the wrong-but-plausible answers next time I go through this shit (and I just had to go through it a few days ago to sign up for WeillCornell's patient portal.)

For fuck's sake.

I have gotten those questions as well, scary.

What scares me is when none of the answers were correct.  

Somewhat related.

Last night i signed up with a medical testing place so i could schedule online/get results/etc.

As i did "we want to ask you some questions to verify its you"  They had one of my places of employment back in 1991 ( that is no longer even in business )... and one of the cars i own make/model/year.. ( a very uncommon car )

wtf.. not exactly secret data, but still ..wtf

My mother told me, when I was very young, 

"Don't ever write anything to a girl that you wouldn't want other people to read." 


With technology: 

Just assume that no matter how good you are, if someone is interested in seeing what you're doing, they're better than you are. 

Even if they are not - it is good humility to have. 

Brave browser’s Tor feature found to leak .onion queries to ISPs
https://portswigger.net/daily-swig/brave-browsers-tor-feature-found-to-leak-onion-queries-to-isps

or https://rb.gy/vaslzn

Remember when the government used to do anti-competition and
anti-trust investigations when tech companies pulled this kind of
shit? 

Yeah. I think Microsoft was the last company to really face genuine threat of Government restriction for their behavior. At the very least, the Government was still shaking the stick at them and putting on a show for the public. 

Now they don't even bother trying to convince us. At least give me a song and dance while you're screwing me. 

It is like the difference between gentle prison love with a kiss and gang rape in the showers. 

Mon Dec 21 2020 08:20:14 EST from Nurb432 Subject: Re: An alternative ?

Bell systems? I still remember that.  I lived thru it, being a bell-baby.

To an extent Microsoft with IE.  ( sure it was a hand-slap fine and not a break up, but it still happened )

Sun Dec 20 2020 18:01:17 EST from IGnatius T Foobar Subject: Re: An alternative ?

Remember when the government used to do anti-competition and
anti-trust investigations when tech companies pulled this kind of
shit? 

Not in our lifetime they didn't. Now they just have antitrust theater hearings, after which the monopolists know whose coffers they are expected to fill.

 

Bell systems? I still remember that.  I lived thru it, being a bell-baby.

To an extent Microsoft with IE.  ( sure it was a hand-slap fine and not a break up, but it still happened )

Sun Dec 20 2020 18:01:17 EST from IGnatius T Foobar Subject: Re: An alternative ?

Remember when the government used to do anti-competition and
anti-trust investigations when tech companies pulled this kind of
shit? 

Not in our lifetime they didn't. Now they just have antitrust theater hearings, after which the monopolists know whose coffers they are expected to fill.

Most of them are working for the government now. just not 'overtly', so they have to be careful not to piss off their 'propaganda wing', but still appear to be 'hard on them' to the public.  what a freaking scam.

Mon Dec 07 2020 12:44:46 ESTfrom ParanoidDelusions Subject: Re: An alternative ?

Remember when the government used to do anti-competition and anti-trust investigations when tech companies pulled this kind of shit? 

 

I never stopped. I still buy 'hard' media, be it movies, books or music. Then i either rip/scan it myself or "find" it out on the network and pack the original safely away so it cant be damaged. ( is 'finding' 100% legal, no, but i dare any judge to say anything when i wave the original in the air )

Of course 99% of my music is Indi as i HATE mainstream music, so that helps there too.

And ya, 'cloud services suck', unless you are running the service..

Mon Dec 07 2020 09:54:17 EST from ParanoidDelusions Subject: Re: An alternative ?

The Google Play Music/YouTube Music, where do I buy my music now issue - has me considering going all the way back to just buying CDs from Amazon and ripping them to digital format. 

Checked last night, and it doesn't look like it. 

That is the infuriating thing - these corporations all seem to move in lockstep - making the same decisions that put them in more control and hurt the consumer at the same time. 

Remember when the government used to do anti-competition and anti-trust investigations when tech companies pulled this kind of shit? 

Mon Dec 07 2020 10:07:39 EST from zooer Subject: Re: An alternative ?

Does Amazon still allow you to download music?

Mon Dec 07 2020 09:54:17 AM EST from ParanoidDelusions

The Google Play Music/YouTube Music, where do I buy my music now issue - has me considering going all the way back to just buying CDs from Amazon and ripping them to digital format. 

Does Amazon still allow you to download music?

I still run *most* of my applications that really matter locally. Increasingly, I am more hostile toward hosted applications. I don't want Creative Cloud - because Adobe keeps moving my cheese - and it takes me a half hour to relearn how to do it their new and improved way every time I launch Illustrator or Photoshop. Paint Shop Pro, though - I'm still on the 2018 version - and everything is right where I left it. 

The Google Play Music/YouTube Music, where do I buy my music now issue - has me considering going all the way back to just buying CDs from Amazon and ripping them to digital format. 

Of course, I still *acquire* the majority of these things through the web. To me, the web just became a big 24x7x365 mail-order catalog. It is Digital Turn Of the Century Sears. 

Mon Dec 07 2020 08:52:26 EST from IGnatius T Foobar Subject: Re: An alternative ?

The web evolved from a distributed document management system to a user environment that replaced Windows as the primary application delivery platform.

 

"stuck" is maybe not the best choice of words when you think about what happened:

The web evolved from a distributed document management system to a user environment that replaced Windows as the primary application delivery platform.

It isn't what Tim Berners-Lee envisioned, but it sure as hell is what Marc Andreesen envisioned.  And he did it.  Horray for the web.

Wow, should not be sending posts with a migraine.

Short version:

Today is not what the founders envisioned..  But we are stuck. And source code helps.

Tue Nov 17 2020 15:13:08 EST from Nurb432 Subject: Re: An alternative ?

I totally agree with the vision not being what it was in the beginning, and I also do not like what its (de)evolved into, but reality is we are not going back to pure web again of just simple display clients. So have to make the best of what we have.  

My example: Having source and building it yourself, helps. At least from a security standpoint. But true, you are relying on others to point out issues. I know i dont have time to read thru all that code...

 

I totally agree with the vision not being what it was in the beginning, and I also do not like what its (de)evolved into, but reality is we are not going back to pure web again of just simple display clients. So have to make the best of what we have.  

My example: Having source and building it yourself, helps. At least from a security standpoint. But true, you are relying on others to point out issues. I know i dont have time to read thru all that code...

Sun Nov 15 2020 21:44:37 EST from IGnatius T Foobar Subject: Re: An alternative ?

Too bad everything is now client side. Wasn't how the web was
supposed to be. But if it was still, would be a lot easier to code

It's not what Tim Berners-Lee originally envisioned. It is what Netscape envisioned. It is what Sun envisioned. Those pioneers tried to get there in one step, and were destroyed by the giants who were not ready for it. But if you compare a modern client-side web app to the original Java vision -- that is, before it failed on the client side and became the new COBOL instead -- we got there. We totally got there:

* Write once, run anywhere.
* Application code loads from the server at the moment the program is run, never saved locally.
* Upgrade the server, never push upgrades to clients.
* Printing sucks.

So ... Netscape didn't live to see the browser replace Windows as the most popular client platform, Sun didn't live to see JavaStations replace PCs as the most popular client side hardware, but their vision totally became reality.

https://codeloop.org/python-how-to-make-browser-in-pyqt5-with-pyqtwebengine/

Too bad everything is now client side. Wasn't how the web was supposed to be. But if it was still, would be a lot easier to code safe alternatives to use.

I have seen AOL email addresses.  

The two that I remember recently, one is a friend of the family an older guy not very technical.  He might have switched to gmail now that he has an android phone but still has the AOL address.

The other was the personal account of an older doctor.  I don't know why, maybe he kept his email because that is what he used for years.  He might have used it for medical work unrelated to the practice.

He told me once that all his old mails were gone and wanted to know if I could get them back. 

I still run into AOL and Yahoo accounts surprisingly often - but I haven't seen a Netscape address in decades, probably. 

Mon Nov 09 2020 21:17:23 EST from LoanShark

It's an absolute, objective truth that I have been visiting the wrong sort of websites. What is the internet for, anyway?

Quoted for Truth. ;) 

Mon Nov 09 2020 19:12:49 EST from LoanShark

... you're talking to a guy who just had both nostrils raped today, for a mandatory test.

I don't agree that DMV websites are the best (LOL), but I will be very happy when this is all over.


The DMV website was badly written. It failed on the callback from the payment provider they were using (I had to pay to purchase an accident report.) So they coded a simple URL redirect handshaking sequence that just fails on any modern browser. Lame. This really has nothing to do with the JavaScript-is-bad debate or anything like that.

I didn't say DMV websites are the best... I said old websites are generally the best. You clearly have been visiting the wrong sort of old websites. :) 

I like sites that play well with my Amiga 500. Citadel is not one of those sites, even without encryption - but, there is always Telnet. :) 

.gov websites are generally the worst, regardless of if they're old or new. :) 

Yeah, most likely I was trying to do something on a thoroughly obsolete web site. They're generally the best. Thoroughly modern technology rapes you, sells your personal information, and reports you to the feds for every deep secret thought you've ever fleeting entertained. 

I've experienced this "only works on IE" thing on a couple of sites. Which ones they were escape me right now, or what set of steps made me think, "let's see how this page renders on IE..." 

But I remember being shocked that IE was beating Chrome at anything. 

Another "Google is the new Microsoft" issue. 

Today I came in and my boss was losing his shit because his machine wasn't working and was crawling. Windows update was applying - and it was doing the thing where it takes 20 minutes to install, counting down the percentage, then on reboot, it gives you a DIFFERENT progress percentage countdown, that also crawls. I figured it was going to back it out, but it looks like the 2nd time it tried to apply it worked. 

At any rate - after applying, then his system was crawling. I had a look, and CPU utilization was at 50% or more at idle. Looking at the task list... I discovered Software Reporter Tool had two instances running and together they were running most of the 50+% of utilization being consumed... 

The irony is a Google search rats Google out: 

https://www.techpout.com/what-is-chrome-software-reporter-tool-and-how-to-block-it/

I know that Edge is just Chrome.. 

But Chrome is really no bet ]]>http://uncensored.citadel.org/readfwd?go=Security?start_reading_at=4598731Mon, 09 Nov 2020 17:12:04 -00004598731@Uncensored

Mon Nov 09 2020 09:58:00 EST from IGnatius T Foobar

That's interesting ... if it's anonymized now then it's been anonymized for about a year, since I switched to that registry. I wonder how they found my address.

Anonymizing your WhoIS record requires a service that costs extra. For years I just put false information in my WhoIS contact information - but that can get you deregistered if they catch you. 

Now they've got the correct info, the registrar doesn't send me threatening e-mails about my WhoIs info being fake, and I've got a level of protection me between and the Internet fruitcake stalkers. 

I use LastPass. It is centralized but also locally stored in an encrypted store. I'm able to sync across multiple browsers/machines, plus I can use it on my phone. The phone app also pops up options to autofill for other apps on my phone, which is convenient.

Fri Sep 06 2019 10:09:31 EDT from IGnatius T Foobar

That kind of usage is specifically a mormon thing. It's a slightly different take, because mormon is not mainline Christianity.

Yup. It definitely conveys a different, more direct relationship with God Himself than say, a Protestant or Catholic would express. 

We would refer to the Lord... God... 

Jesus is kind of our go-between - as Protestants - and Mary, if you're a Catholic. But both kind of operate on an assumption that God is busy and although He doesn't miss *anything* - you better only invoke him personally if your car is about to go over a cliff. 

I concur with your assessment regarding diversity and racism.

You know, somebody in th I2P official irc network brought the subject up. It turns out the Chinese already knew that language deformation (for example, inclusive language) serves the purpose of identifying your enemies and allies. It works like follows.

You and your lobby create a stupid languageism. For example, you decide to stop calling encryption tools encryption tools, and call them "tools for obfuscating terrorist activity". After a while, you check who has adopted the term. Anybody who still uses "encryption tool" is not one of yours. Anybody who says that openssl is a terrorism activity obfuscation tool is one of yours. Notice that you don't have to openly ask people which side of the fence they are standing at... you only have to listen to their regular talk in order to know who to befriend and how to mark for annihilation.

Things like modern codes of conduct and inclusive language are just this. A means to mark developer teams as friends o foes. If you don't have a code of conduct you are a fascist bastard and must be destroyed. When a development team adopts one of these, they are not just adopting. They are publicly declaring who they are siding with.

Intel has really... really become good at it, though. 

They like to lead. 

<laughs>  In this case, it's that small business unit that is still International Business Machines.  It's hard to find these days, but there is still a bit of it lingering around.  :-)

That second link is a blog run by that team's leadership, btw

IG, IBM's "X-Force threat intelligence database" is the database that houses the intelligence and research performed by the IBM X-Force Research team, which is a highly respected commercial security research team.  Much of their research is published on the X-Force Exchange, which is a "cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence and collaborate with peers."

https://www.ibm.com/security/xforce/

https://securityintelligence.com/

Disabling DHCP as a means of keeping away an intruder who has already gained access to the physical network is only going to slow them down by a tiny bit.  They'll just sniff the wire for a minute or two to figure out its addressing scheme, and look for traffic on port 53 to learn the location of the DNS servers.  In fact, a good attacker will do that even in the presence of a DHCP server, to avoid having any DHCP requests logged.

I haven't seen a lot of access networks having DHCP disabled as a security measure.  What I do see often though, in a larger organization, is the Windows, Linux, and Network teams fighting over who gets to run the DHCP server, and gains the control it offers.

It seems to be a common "best practice" by windows admins to disable DHCP as a layer of security, so that it "is harder to hack the network". Ok, I have only seen this at two clients side, but both of them share the following:

1. It is incredibly hard to do any normal admin work, like hooking up a new computer, replace a network device, etc. Because you need to put the MAC address on the whitelist and maybe add a distinct address to the host. The result is, people issue a hardwired IP in the device and forget to document that.

2. They use the worst passwords ever, enforce absolutely no password policy and users never have to change their passwords.

They use passwords like "pass" in the one place, for admin accounts. In the other place, there are local admin accounts on the machines with absolutely no password at all. And all the switches communicate with the "intelligent management console" via ... telnet. Logging in with the very same masterpassword... which is slightly identical to the domain admin password. Oh, and most important people share the very same simple password for all their computer accounts, "because we need to use the other persons computer a lot". (In a domain scenario, where you could login with your own account to the other computer. But people do not save files on the server, they use their own desktop, so..)

So, while I as an admin that only hooks up gear to the network have to jump through hoops and get to enjoy typing in hundreds of MAC adresses, the people with the most confidential data act like total retards and only need to memorize one utterly mongoloid password. Which is also a common term at the place, so it is easily guessable on top of all that.

Lesson learned: "Der Fisch fängt immer am Kopf an zu stinken." A german proverb, stating that the fish begins to smell from the head on, when it rots. In all places I have worked for, the more important the people or the files, the more stupid the passwords and the behavior. (Guess where the master password list is stored in clear text?!)

http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/

This article annoys me. The example provided just is a piss poor excuse for bad password changing policy. Which is used almost anywhere, I acknowledge.

Admin's should be way more demanding, 50% difference to all previous passwords, or something like that. I dunno how feasable that is with hashed and salted passwords, though.

In general, passwords should be at least 20 chars long and they must not contain a number. There are only 10 digits, why reduce your entropy on one char, if you could simply demand one char more and let the user choose it? People will use a 1 or their birthdate (visible on facebook) or some other stupid number.

On long term, we need to overcome passwords, there must be something smarter. My 30 char long passphrases are a nightmare on touchscreens to enter. And the more often you mistype, the easier it is for somebody to spy on your fingers.

The problem with passwords at all my clients is always the boss or the bosses. They choose the easiest and worst passwords ever, I even have one that uses 12345, another site uses a common 4 letter word for admin logins (and at the same time disable dhcp for security reasons, so the network is harder to hack *...). They always want to know the passwords of everyone else, so they can "log in to their computers, if needed." So passwords need to be stored on paper somewhere in the office, which then lands on the server as a scanned page. Or there is a password text file on the public share.

So, besides the xkcd hint, is there any good guide that a boss would understand for a password policy in the office?

* This disabling dhcp hack is a common security by obscurity trick, that would have stopped me for like 15 minutes when I was 14. In the age of ubiquitious internet, it does probably only stop the persons that want to use the network with good intentions.

*This* is why we can't have nice things.

you should cosider that in case of device loss you may not want the finder be able to access your data.

For a lot of people, getting your work email on your phone requires accepting a device policy that gives the administrator of the email server permission to remote-wipe the device.  And of course there are mobile device managers that can get even more heinous than that.

If device manufacturers truly cared about their customers, they would create a mode where it tells the email server that it was given permission to remote-wipe the device, but if such a request actually comes across, tells the server to go shit in its hat.

Why would they do that?  Data encryption at rest is more important than ever.

I'd actually be far more interested in seeing device vendors set up a mode where the device tells your employer's email server "yeah yeah, you have permission to remote wipe the device etc. etc." but not actually do that.

Good read LoanShark.  Thanks for posting.  I hate to think that sysadmins were the weak link here, but I suppose some of them can be co-opted to run a MS Word macro.

 Paranoia, the destroyer.

I was in such shock to see Ed Shultz still on TV it didn't think too much about McAffee's statement.  he said he was lying. I think we knew that,

http://www.news.com.au/technology/online/security/john-mcafee-said-he-lied-about-how-he-would-crack-iphone-to-draw-attention-to-the-deception-of-the-fbi/news-story/83796467e74b31c1c2ea5717406a77e9

But he had a reason to do it.

McAffees motto should be "Whose to blame?  Hookers and cocaine!"

Amazon removed encryption from the latest version of Fire OS

http://mashable.com/2016/03/04/amazon-removed-encryption-fire-os/#R5nLdj91AGqj

I tried searching for a video clip of Sgt Shultz but I don't want to watch him to see if I found the correct one.  There is a clip of him angrily screaming on his MSNBC show about how terrible it is when old fat white guys are angry and scream about things.  I think it was directed at Rush Limbaugh.

I had read that Shultz started off as a conservative talk show host but that market was already dominated by Rush so he went with the far left shtick.  I don't know. 

I remember when Ed was still doing radio on WDAY out of "Margo's Forehead"- Fargo / Morehead back in the day.  Oh, how the local Libertarians would have fun with him on his call in talk show.

John McAffee explains how easy it is to break into any phone.

http://www.youtube.com/watch?v=MG0bAaK7p9s

This is amazing information, what I find most interesting about this video is that Ed Shultz is still on TV.

So this LastPass thing amuses me.  Because seriously, I know I'm supposed to be touting that good security includes a password manager, but I have never found the logic in essentially *writing down* all your passwords together *in one place* in an *electronic medium*.....and then securing them with just a *single* other password *also electronic*.  

If you put on your silly logic hat that makes little sense.  Heck, these days a large portion of the population works from home...which means they might even be safer writing it down on paper and leaving it behind some closet door than having it on any accessible electronic medium.

Basically, unless you have a 2-factor solution, you've basically left the back door unlocked, kids.

http://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/

Well, after all, We Must Protect Our Children From Terrorists.

So yeah, eavesdropping everywhere, but only for the well-connected.  Yeah.  That's it.

http://falkvinge.net/2015/01/14/hilarious-activists-turn-tables-on-political-surveillance-hawks-wiretaps-them-with-honeypot-open-wi-fi-at-security-conference/

hm...... ;-)

nristen,

I have a gpg file as well for my home stuff, but will probably switch to Password Safe for that as I use it at work and it will let you do safe imports from someone else's password file and merge changes.  It gets rid of all that who changed what and when stuff by letting you decide what to delete.  Kind of a pain to have to manually decide, but when dealing with others on shared account info, I think it will work out for the best :-)

I still kick it old school with Bruce Schneier and his Password Safe:

https://www.schneier.com/passsafe.html

Ports for non Windows / Linux exist, but Bruce says about auditing other code-bases... "Ain't nobody got time for that.".