|
just use sms 2fa to keep those nukes secure
|
#
?
Sep 3, 2019 17:09
|
|
|
|
| # ? Apr 28, 2024 00:39 |
|
|
Sereri posted:Can't wait for the 2020 version of that ai Google doc with the row compromise the cell network, generate that false positive warning, then launch your poo poo
|
|
#
?
Sep 3, 2019 17:09
|
|
|
Lain Iwakura posted:just use sms 2fa to keep those nukes secure the double-WOPR with keys
|
|
#
?
Sep 3, 2019 17:10
|
|
|
Subjunctive posted:I wonder if the no-dynamic-addresses thing is a big deal for me given how rarely my address changes (hasn't happened in the year I've had service). how hard is it to do the address update? maybe I could automate it alongside the dynamic DNS updater yes, use this on a frequent cronjob https://github.com/WireGuard/WireGuard/blob/master/contrib/examples/reresolve-dns/reresolve-dns.sh
|
|
#
?
Sep 3, 2019 17:16
|
|
|
I wonder what leads people to write security-sensitive scripts in inscrutable extended-bash
|
|
#
?
Sep 3, 2019 17:26
|
|
|
it's never a conscious choice, just a series of decisions between the benefits/risks of just-one-more-line vs a rewrite
|
|
#
?
Sep 3, 2019 17:51
|
|
|
I have my Mini-PCI-Ex WWAN NICs IP range as one of the few permitted IP ranges that can access my network directly, but for everything else I use a SSH jumphost on a server in the Equinix, Virginia, US datacenter (because it's free, and I'm poor) that is accessible from anywhere and only permits access with keyfiles. I don't think it's fool-proof, but since I've been taught that keyfiles must have passphrases for my entire life, I think I could do worse. Rufus Ping posted:yes, use this on a frequent cronjob It's also run on FreeBSD.
|
|
#
?
Sep 3, 2019 18:21
|
|
|
|
|
#
?
Sep 3, 2019 18:25
|
|
|
D. Ebdrup posted:There's also freedns.afraid.org that can be updated by a simple curl command.
|
|
#
?
Sep 3, 2019 18:25
|
|
|
yes precisely, this is to force wg to reresolve the endpoint hostname to an ip once your ddns has been updated (i use dns.he.net for that, supported natively by edgeos)
|
|
#
?
Sep 3, 2019 18:51
|
|
|
wanna say that wireguard write up is bomb, thanks for that.
|
|
#
?
Sep 3, 2019 19:22
|
|
|
Yeah, the write up is excellent, I'm gonna try it tonight.
|
|
#
?
Sep 3, 2019 19:35
|
|
|
CommieGIR posted:
I just wanted to say this is a cool and good post and you are a cool and good poster for making it!
|
|
#
?
Sep 3, 2019 20:12
|
|
Welp. I gotta internalize your criticism, you guys do have some very valid points. Still feels like a gut punch, but peer review often does. I'll roll with it.
|
xtal posted:I wonder what leads people to write security-sensitive scripts in inscrutable extended-bash in this case its portability, wireguard is multiplatform and that script will work on everything but windows
|
|
#
?
Sep 3, 2019 20:21
|
|
|
The "algorithm" is actually 5 Indian dudes paid sub-minimum wage to read the news all day.
|
|
#
?
Sep 3, 2019 20:43
|
|
|
Ur Getting Fatter posted:The "algorithm" is actually 5 Indian dudes paid sub-minimum wage to read Twitter all day.
|
|
#
?
Sep 3, 2019 21:03
|
|
|
NVM didn't F5
|
|
#
?
Sep 3, 2019 21:48
|
|
|
linux lts kernels are a complete mess of missed or broken security patches https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
|
|
#
?
Sep 3, 2019 22:31
|
|
|
wireguard is too new to be good or usable but it's got a really good name. also "lightweight" branding
|
|
#
?
Sep 3, 2019 22:44
|
|
|
Yeah doing all that parsing and stuff in-kernel? Idk about that. I'm gonna stick with openvpn for a couple years.
|
|
#
?
Sep 3, 2019 22:47
|
|
|
spankmeister posted:Yeah doing all that parsing and stuff in-kernel? Idk about that. I'm gonna stick with openvpn for a couple years. Me too, but I still want to try it.
|
|
#
?
Sep 3, 2019 22:50
|
|
|
I thought wireguard’s usability was a big selling point, with the qr code configuration stuff and provisioning profiles and peer-to-peer. is it clunky?
|
|
#
?
Sep 3, 2019 22:52
|
|
|
Nomnom Cookie posted:wireguard is too new to be good or usable but it's got a really good name. also "lightweight" branding as someone that followed the development of OpenVPN and WireGuard for years now, I’ll take alpha WireGuard over “mature” OpenVPN the fact that it can’t be ports scanned because the very first packet is authenticated and that it doesn’t allocate memory at runtime prevents whole categories of potential exploits
|
|
#
?
Sep 3, 2019 23:11
|
|
|
Subjunctive posted:I thought wireguard’s usability was a big selling point, with the qr code configuration stuff and provisioning profiles and peer-to-peer. is it clunky? the linux config story is fine - much nicer than openvpn or ipsec android gui version is decent and works seamlessly with both userspace and kernel versions can't speak for other OSs or GUIs
|
|
#
?
Sep 3, 2019 23:17
|
|
|
my first impression is that the windows gui won't work unless you're logged in to your desktop with an admin account. Can't even run-as admin
|
|
#
?
Sep 3, 2019 23:20
|
|
|
nice to see security apps aware that the Windows GUI isn't safe
|
|
#
?
Sep 3, 2019 23:35
|
|
|
CommieGIR posted:
|
|
#
?
Sep 3, 2019 23:39
|
|
|
Rufus Ping posted:the linux config story is fine - much nicer than openvpn or ipsec the iOS experience seemed pretty great, but I didn’t try on-demand
|
|
#
?
Sep 4, 2019 00:55
|
|
|
pseudorandom name posted:nice to see security apps aware that the Windows GUI isn't safe yeah, but that's the opposite of safe that dialog is the equivalent of telling me to log in as root in order to use the gui
|
|
#
?
Sep 4, 2019 01:03
|
|
|
all that port knocking chat reminded me of another ssh suggestion I saw. which is to run your ssh daemon as a tor hidden service, is that a good or bad idea?
|
|
#
?
Sep 4, 2019 01:04
|
|
|
Crankit posted:all that port knocking chat reminded me of another ssh suggestion I saw. which is to run your ssh daemon as a tor hidden service, is that a good or bad idea? avoid being near arguments by couples in libraries while using ssh if you do implement that
|
|
#
?
Sep 4, 2019 01:27
|
|
|
Crankit posted:all that port knocking chat reminded me of another ssh suggestion I saw. which is to run your ssh daemon as a tor hidden service, is that a good or bad idea? It's a good alternative to dynamic DNS if you don't mind it being slow, plus you don't need to use TLS for anything.
|
|
#
?
Sep 4, 2019 01:43
|
|
|
Crankit posted:all that port knocking chat reminded me of another ssh suggestion I saw. which is to run your ssh daemon as a tor hidden service, is that a good or bad idea? it's kind of ridiculous and you shouldn't do it, but it has some neat properties - accessible through [cg]nat - can get past some dpi using pluggable transports (obfs4, meek) - don't need to validate host keys because onion services are authenticated end-to-end downsides: - latency is bad
|
|
#
?
Sep 4, 2019 01:54
|
|
|
downsides: - you'll probably end up on some sort of list
|
|
#
?
Sep 4, 2019 01:58
|
|
|
The Fool posted:yeah, but that's the opposite of safe if you log in as root then the input method editor can't attack privileged programs
|
|
#
?
Sep 4, 2019 01:59
|
|
|
mystes posted:downsides: the classic mistake people used to make is this: - using v2 onion services without client authorization - malicious hsdirs can then derive your service's .onion address from its descriptor - portscan and fingerprint your services (tls certs, sshd host key) - you left the same services accessible via the clear web, or successfully remembered to disable them but forgot to then rotate your keys - shodan saw it all - police raid OVH and image your top secret drug marketplace server
|
|
#
?
Sep 4, 2019 02:10
|
|
|
Lain Iwakura posted:avoid being near arguments by couples in libraries while using ssh if you do implement that lmao
|
|
#
?
Sep 4, 2019 03:37
|
|
|
literal skynet, cool
|
|
#
?
Sep 4, 2019 04:37
|
|
|
the good news is the amount of hand waving wrt "artificial intelligence" in the source article could be effectively used as an ABM defense field
|
|
#
?
Sep 4, 2019 04:53
|
|
|
|
| # ? Apr 28, 2024 00:39 |
|
|
Perplx posted:as someone that followed the development of OpenVPN and WireGuard for years now, I’ll take alpha WireGuard over “mature” OpenVPN “prevents whole categories of potential exploits” is more marketing. wireguard doesn’t have a track record. I’m surprised tbh that I have to tell the secfuck thread new and different is doubleungood not surprised. saddened
|
|
#
?
Sep 4, 2019 06:29
|
|