• 0 Posts
  • 76 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle


  • Two pihole servers, one n VM vlan, one on device VLAN with OpnSense delivering them both via DHCP options. I sometimes update lists, like yearly… At best. They’ve been there over 7 years. Calling them robust is correct. The hypervisors are 3 proxmox servers in cluster using ceph. Intrl NUC 3rd Gen. Less than 80w combined with all vms. Also 8 years old no failures but tolerant for it.


  • I think you probably don’t realise you hate standards and certifications. No IT person wants yet another system generating more calls and complexity. but here is iso, or a cyber insurance policy, or NIST, or acsc asking minimums with checklists and a cyber review answering them with controls.

    Crazy that there’s so little understanding about why it’s there, that you just think it’s the “IT guy” wanting those.




  • They seem like fully conflicting ideals. Sometimes technology is not the answer. Sometimes non technical controls are.

    Besides, by the time the control for instagram is in, nobody will be using it under 30. My partner just told me “instagram really is our parents platform” while showing my mum’s friend started following her. My mum and her friend are both 70.

    Applying it further gives all kinds of bad vibes where platforms need to check your ID like a Brisbane night club, except these aren’t Australian businesses. Tiktok forced to comply, if they did, validating that you’re 18 via a digital license that the governnent authenticates Tiktok requested your details and now knows you went via link ‘clickforabortioncontrol.track.tiktok.com’ since they’ll need to reply back to that url ‘yeah they are 14+ bro’ before you get in.

    What a distopia.

    BTW I’ve got a link for you for how ID got complicated that I configure: https://stack-auth.com/blog/oauth-from-first-principles this explains how to securely without leaking or impersonation, authenticate a user from a central federated identity management (like an online ID would need).

    There are smart people, sure. But I’ll tell you it won’t be the first try, or the second that’s correct.

    Security is so complex that the smartest people often fail. Odds are stacked, privacy needs security. Failure in security results in privacy being lost.

    Anyway I’m in agreement that it’s a horrible world out there with real harm. But mandating less privacy is unlikely to result in a better place, in fact it’s almost guaranteed to be worse and create more harm.



  • https://johnmjennings.com/an-important-lesson-from-bullet-holes-in-planes/

    The responses needs to be contain representation at least equally to non Firefox people who no longer care to answer a poll about a product that they don’t use. Why? Only current users are going to answer the poll, not the people with the cuts and pain that forced them back to Chrome or safari. Asking survivors how to reinforce survival actually doesn’t solve for why do many people off board Firefox.

    Frankly you should ask people like my 60-70yo parents why chrome not Firefox. You’ll learn more from that than the corrected responses of people who loudly have preferences but at the end of the day would stay either way. My parents tried Firefox, but then left it. Although they only tried from insistence from their son.

    PS: I agree with the poll. I don’t want a chat bot either. If I did, I’d install a plugin that integrates once of my own choosing. Given the availability, privacy, and ease of lmstudio I’d rather leave it in its own place outside the browser and network. I don’t know how those like my parents feel about a bot that can probably answer their questions. I also doubt they care. Maybe it would help them ask questions they’re too embarrassed to ask friends and family for. Usually how to questions they’ve asked dozens of times. But that’s super dangerous.



  • Other then legacy and uefi does it have a CSM compatibility support mode? An option to enable usb initialisation before bios? Eg wait for usb initialisation?

    Some “boot faster” options kind of reorder boot initialisation to a point where it’s not holding the system back.

    Though I’m really running out of suggestions… I can imagine you’re pretty frustrated. I know my Dell laptop was a pain to get the right settings to get usb to boot and the stupid 100db beep to silent on boot interruption.



  • I suggest a few more things:

    Try a different brand usb. Different motherboards sometimes don’t support some usb brands. In fact, a Lenovo server I rebuilt refused to boot off certain usbs.

    Some motherboards don’t initialise boot off some usb ports. Sometimes the additional ports are on another controller and initialise too slow.

    Just try a straight working Ubuntu live boot usb to remove any ventoy from equation. Ubuntu has real signed uefi (and no shim) granted by Microsoft. I think that’s how it works, uefi is a mess.

    Try to start isolating all the different factors, and there could be more. It doesn’t necessarily mean anything definitive if it works on another machine.


  • Hmm, so, policy in our office is a clean desk. Before you jump to conclusions, it’s because our secured area and office occasionally has people come through that should absolutely not see what information we have on our desks. This requirement is a compliance issue for our continued contracts and certifications.

    Our work from home policy hasn’t addressed this issue, but it sounds like it’s a clear gap. Your neighbour coming around for a cup of tea absolutely should not be able to see any work related information.

    My assumption is that someone has considered this kind of aspect and had a check to confirm that they’ve done diligence by asking you to reveal your working space. A space the companies sensitive information would be visible. Actually you too should maybe not be looking at your wife’s screen nor materials on her work desk. Depending on the situation.

    Either way, policy comes first so perhaps her employment agreement or employee handbook would reveal more.



  • For me I want to know how much frame latency there is since I’m suspicious and I want to try things to see the effect and I just don’t know how to get that information in an OSD like I can with msi afterburner.

    If someone knows what can do this in Linux, please reply!

    Instead I just stopped all competitive and cooperative gaming. Which is a bit of a shame. Sometimes I’ll load up windows to join friends but usually by the time I’ve updated whatever game I’ve gotten over it.

    Don’t get me wrong, hiccups aside I’m very happy which is why I’m in Linux most of the time. But it’s not always a wonderful world.




  • A software shouldn’t use passwords for tls, just like before you use submit your bank password your network connection to the site has been validated and encrypted by the public key your client is using to talk to the bank server, and the bank private key to decrypt it.

    The rest of the hygiene is still up for grabs for sure, IT security is built on layers. Even if one is broken it shouldn’t lead to a failure overall. If it does, go add more layers.

    To answer about something like a WiFi pineapple: those man in the middle attacks are thwarted by TLS. The moment an invalid certificate is offered, since the man in the middle should and can not know the private key (something that isn’t used as whimsically as a password, and is validated by a trusted root authority).

    If an attacker has a private key, your systems already have failed. You should immediately revoke it. You publish your revokation. Invalidating it. But even that would be egregious. You’ve already let someone into the vault, they already have the crown jewels. The POS system doesn’t even need to be accessed.

    So no matter what, the WiFi is irrelevant in a setup.

    Being suspicious because of it though, I could understand. It’s not a smoking gun, but you’d maybe look deeper out if suspicion.

    Note I’m not security operations, I’m solutions and systems administrations. A Sec Ops would probably agree more with you than I do.

    I consider things from a Swiss cheese model, and rely on 4+ layers of protection against most understood threat vendors. A failure of any one is minor non-compliance in my mind, a deep priority 3. Into the queue, but there’s no rush. And given a public WiFi is basically the same as a compromised WiFi, or a 5g carrier network, a POS solution should be built with strengths to handle that by default. And then security layered on top (mfa, conditional access policies, PKI/TLS, Mdm, endpoint health policies, TPM and validation++++)