Language:
switch to room list switch to menu My folders
Go to page: First ... 12 13 14 15 [16] 17 18
[#] Thu Apr 14 2022 19:54:08 EDT from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-04-14 18:30 from Nurb432
I cant give you details ( and even if i could, i probably should not

say too much ), but i guess CF offers some sort of service to
'secure' external facing web apps. We are migrating one of our
largest.  I guess once the switch is flipped you access it thru
their 'stuff' which tunnels back to our internal network, i assume

via VPN.

ya, pretty vague, but i'm not part of the teams involved, nor in
testing..   BUT it seems like a bad plan to me. 


Yes, I know the drill.

The have offers for small business in which they set themselves in front of your websites and services and act as the user facing point, tunneling the connections of your users into your infrastructure. It is popular with medium-sized webmasters because they filter most bots, serve as DDoS mitigators, and make it very difficul for your users to know where your servers actually are. They also offer TLS acceleration in which they offer a TLS facing port to the users and then strip the connection and send you the cleartext, which SUCKS from them and makes them deserving of an horrible death.

IRC Masters also use this sort of provider from time to time because they are a cushion against DDoS. If you have a popular network you either have a good network in which you can null-route attacks or you hire somebody who does :(

[#] Mon Apr 18 2022 11:52:43 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]


compliance compliance compliance, don't let this become all I do

BLEEP BLOOP BLEEP I'm going CRAZY!!1

[#] Mon Apr 18 2022 12:17:30 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

We are OK for DoS attacks and have enough stuff in place to mitigate that ourselves. This move is mostly for authentication reasons. This started when the that java log4j vulnerability came out.  They yanked it off the outside that weekend, and made it only available to internal network, and 'we need to make this use SSO before we put it back online" "but we some how have to support people without accounts too" . Why a current product in 2022 cant support SSO native, i dont understand.    A mix of on/off network, well that is hard to do, safely. i will give them that.  I assume the log4j problem was updated, donno, im not in that group and security team, well they are not forthcoming with information, even to people in their same org..

I guess there were around 10k employees that didnt have network accounts, as they dont need them. Complicating matters with the last minute change to mandate on-network access only. A side from other things, its used for timekeeping, benefits, general HR stuff, including contractor access as it also includes financial modules.. So we will have a 'mix' of users. But from what i hear, they are going to move the 'public' access pieces to a 3rd party system completely and will never go back on the sso requirement.

Rumor too is that if this goes well, ALL internet facing apps will have to use CF..  Even if you already do SSO..

 

 

And i guess its not a secret of what we use, its SAP's PeopleSoft..  So not some fly night thing that is 30 years old.



[#] Sun Jun 05 2022 19:05:09 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

In the case of DNS you may also run an iterative server and access the

Root DNS services directly with no middle man.

I did this for a while, and I'll probably do it again. For added bonusfest, run your DNS server on a remote network and access that with a VPN so that your ISP and any nearby meddlers can't even see your lookups if they're monitoring the wire.

The only reason I stopped is because I wasn't comfortable with my whole household having an outage if my DNS failed. I did have it set up so that my DNS server's address was 1.1.1.1 and if it failed it would revoke the route and use Cloudflare, but the first time it actually failed the route didn't revoke, so I took it down.

I suppose I could just only put it on my own computer. My wife seldom makes lookups of any sites other than gmail.com, facebook.com etc. and my kids don't hang out in seedy neighborhoods either. I on the other hand am a person of interest.

[#] Sun Jun 05 2022 19:08:08 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

in theory 1.1.1.1 is my secondary here, so if my pihole dies, it should ( should ) go there instead.

I have not tested that theory, tho i guess it would not be hard.  just turn it off :)



[#] Sun Jun 12 2022 17:37:33 EDT from test2

Subject: Red Chineese Security

[Reply] [ReplyQuoted] [Headers] [Print]

The chinese army is watching over you to protect you.

I picked up this camera for fun... you know, for experiments.  it's battery powered for $29.

I uses CloudEdge software (chinese army) and syncs up with the camera really fast.

Here is what you provide

email address, gps location of your camera (house), wifi network and password.

The camera detects events, stores images on a sd card.  but notifications come through the app, not your email.

so, im pondering how this system sends me alerts with images and video clips when im 50 miles from home (which it does thru the app)

maybe there is vpn established between a chinese server and the app and the camera posts the events.

no other network setting were needed pairing the camera with the app.

 

https://www.amazon.com/dp/B08L3RBF6P

 

 

 

 



[#] Mon Jun 13 2022 08:47:17 EDT from zelgomer

Subject: Re: Red Chineese Security

[Reply] [ReplyQuoted] [Headers] [Print]

You didn't login to the app with your email? Maybe the app already knows your email because of your account on the phone?

[#] Mon Jun 13 2022 23:10:09 EDT from test2

Subject: Re: Red Chineese Security

[Reply] [ReplyQuoted] [Headers] [Print]

it wanted the email to send a confirmation.  the account on their system is also my email account (different password specific to cloudedge).

 

The system works pretty well. it gets whiney about the 50% wifi signal and sends me messages to fix it.  so far no red's out front surveilling me, unless you count the local cops.

 

daughter was in and out all day, the battery dropped to 96%.  at that rate i'll recharge in 25 days.

 



[#] Mon Jun 13 2022 23:12:50 EDT from test2

Subject: Re: Red Chineese Security

[Reply] [ReplyQuoted] [Headers] [Print]

it seems the WYSE system might be better, it has a wireless base station that hard wires into your network. not sure how its wireless signal is setup or if it has a local hard drive.  i'll have to look into it a bit more.



[#] Tue Jun 14 2022 02:40:06 EDT from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-06-05 19:05 from IGnatius T Foobar
In the case of DNS you may also run an iterative server and access

the

Root DNS services directly with no middle man.

I did this for a while, and I'll probably do it again. For added
bonusfest, run your DNS server on a remote network and access that with

a VPN so that your ISP and any nearby meddlers can't even see your
lookups if they're monitoring the wire.

The only reason I stopped is because I wasn't comfortable with my
whole household having an outage if my DNS failed. I did have it set

up so that my DNS server's address was 1.1.1.1 and if it failed it
would revoke the route and use Cloudflare, but the first time it
actually failed the route didn't revoke, so I took it down.

I suppose I could just only put it on my own computer. My wife seldom

makes lookups of any sites other than gmail.com, facebook.com etc. and

my kids don't hang out in seedy neighborhoods either. I on the other

hand am a person of interest.



You disappoint me. As a real datacenter architect you should be using CARP or relayd or HAproxy or whatever and use your second DNS cluster as a failover in case the first one bits the dust XD

[#] Tue Jun 14 2022 02:42:05 EDT from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-06-05 19:08 from Nurb432
in theory 1.1.1.1 is my secondary here, so if my pihole dies, it
should ( should ) go there instead.

I have not tested that theory, tho i guess it would not be hard. 
just turn it off :)


In my networks I prefer to set local DNS servers and have things break if they all go down ratehr than switch to external DNS. It is not like keeping a good DNS uptime is hard for small networks.

[#] Tue Jun 21 2022 17:20:36 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

I guess they are starting to roll out a 'service' on windows boxes that only lets you run whitelisted executables..   And its a long painful process to get one approved that isn't what they consider 'stock'. And i guess they are going to pull admin rights on the desktops too. it *has* to go thru this new thing.

I bet i lose access to fossil rcs

 

 

Aside from the chaos this will cause, their scanning crap takes 30% CPU ALL DAY LONG ( if you are lucky.. sometimes it more, and sometimes it eats SSDs .. )

 



[#] Tue Jun 21 2022 18:34:18 EDT from zelgomer

[Reply] [ReplyQuoted] [Headers] [Print]

Start reporting that shit as malware. It IS malware. I've reported emails from IT as phishing before. I knew they were legit, but they broke every rule in the book - came out of the blue, from someone I've never heard before, referencing a third part company, and wanted me to click an external link and enter personal information that HR already has. I report it and they reply "No this one is legitimate, but thank you, it is always good to be safe!" like I'm the fucking idiot and not them.

[#] Tue Jun 21 2022 19:27:44 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

in our shop they will just ignore  you. They are the worst team of people i have ever seen.   They ignore everything asked of them, even request for info on break-ins by our customers..  crickets. "we dont have to tell you what happened, or even that it did, now go away".   They even make secret changes to systems and dont run it thru the CMR process...  A few times its broken things "oh, we rolled back the change" "what change? wtf?"

Hell i have had a ticket in for nearly a week now, i lost Ethernet last week..  Figured they black listed me again. Not even looked at the ticket.

( today it started working again.. but i haven't told them this.. i want to see how long it takes them to get back with me )



[#] Mon Jun 27 2022 11:39:47 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

You disappoint me. As a real datacenter architect you should be using CARP or relayd or HAproxy or whatever and use your second DNS cluster as a failover in case the first one bits the dust XD

I am among the best of them.  But as is so often the case with high level IT people, eventually you get to the point where you just don't want to spend a lot of time being a system administrator at home.  The time I'd have to spend putting together a world-class access network just to serve a family of four just isn't worth the time, the money, or the aggravation.  When I'm not at work I'd rather be spending the time with the family, not fixing their computer problems.

Besides, what's the point of locking it all down when my wife is on Facebook and my son is all over YouTube and my daughter is who-knows-where collecting the dankest memes of the day?

To make things easy and secure for me, I've moved the security perimeter downstream.  My main computer treats the home LAN as an untrusted network.  It has its own access controls and it runs its own DNS server (straight to the root servers, no forwarders).   And finally, I don't need a "home lab" because I have a development region in my data center.

All together, it lets me spend more time in the swimming pool and less time maintaining address pools.



[#] Mon Jun 27 2022 12:17:08 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

I reached that point a long time ago. ( burnout induced ).

"sure, i could, but this is good enough"



[#] Mon Jun 27 2022 12:19:50 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

I did notice yesterday that PI hole is blocking access to the DHT..  Magnets wont ever return anything, unless i swap out my DNS. ( my external vpn provider swaps in their own dns on the fly )

Must be a rule in there somewhere. But not sure i want to bother finding it since i dont run a DHT search bot anymore. 



[#] Mon Jun 27 2022 12:52:35 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

I reached that point a long time ago. ( burnout induced ).

It usually is, and often it comes on very suddenly, even for people who were previously loving the complexity of their "home data center".

For me it was one late night in 2011 when I ran some update or another and a bunch of stuff broke.  And then my patience ran out all at once.  I deleted Asterisk and went through the house replacing IP phones with regular ones.  I deleted the iptables script on my main server and switched to the firewall built into my home router.  I deleted all of the complex X-10 integration and only used the remotes.

That's another thing.  Smart homes are for chumps.  Just turn the damn light on if you want it on.



[#] Mon Jun 27 2022 13:24:03 EDT from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

It was more than that for me. i'm an EE by schooling and electronics in general was a hobby. It was fun.

Somewhere around 25 years ago after i hit the wall, i realized that making your hobby you job was a farce. No, its not "you will never work again a day in your life" It was "you will lose your hobby and hate every minute of work"

Sure ill do what is needed, but its not fun anymore. None of it.

The first sign was the "great purge" of all my retro stuff. Then came some 40 years of books and magazines heading out the door...  

Tried so many times to get interested again, just doesn't happen and i end up with a dust collector. Its one reason i got rid of mostly everything. Funny, this week i just asked the guy i gave all my "components" to ( and scope, breadboards, bla bla )  if i could borrow a 1.5k resistor. Need to test a sensor on the jeep. Never dreamed id say those words "borrow a resistor"... 



[#] Sat Sep 10 2022 11:21:55 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

I don't know about that. I still love to work on my own software on my own time (as is obvious, since you're connected to it right now). I get to do what I want with it and I don't have anyone telling me to solve the wrong problems or solve them in the wrong way.

On occasion I've received comments about "working" when I should be relaxing.
But all of those times it was just when I brought a laptop along on a trip or something and was tinkering on my own stuff. Because sometimes playing looks exactly like working to someone who doesn't recognize either.

Go to page: First ... 12 13 14 15 [16] 17 18