|
If you're going to do the cheap chromebook, just buy it in country. Seems easier than creating the fake user.
|
# ¿ Mar 15, 2017 00:34 |
|
|
# ¿ Apr 26, 2024 16:15 |
|
BangersInMyKnickers posted:the names of the people in the RSA acronym. Wow that is a totally relevant fact that a security expert needs to know. I mean, I expect dumb crap like that to be on there, but I still hate it.
|
# ¿ Mar 29, 2017 21:46 |
|
You can still just turn the knob.
|
# ¿ Apr 13, 2017 16:19 |
|
I tried the bluetooth thing just to see if it was useful. Setting the temperature in the app was actually a worse UX. You have to use a spinner, instead of typing a number in.
|
# ¿ Apr 13, 2017 16:57 |
|
rafikki posted:On the desktop, if you're using Professional edition (still free) there is an autotype option. It gets setup based on the title of the window that has focus when you hit the keyboard shorty, ctrl+alt+a by default. I don't get why 2.x is called "Professional" edition. It's just 2.0.
|
# ¿ May 19, 2017 22:02 |
|
Those emails are automated. Don't use a normal email or phone number for your registration. Opsec.
|
# ¿ Jun 28, 2017 16:50 |
|
Why not just do it online?
|
# ¿ Aug 4, 2017 17:14 |
|
Can't decide if that's better or wrose than a fidget spinner. I guess it would depend if you have kids or not.
|
# ¿ Aug 17, 2017 20:15 |
|
Sign up for informed delivery: https://informeddelivery.usps.com/box/pages/intro/start.action They send you pictures of the envelopes that are supposed to be delivered that day. I've had a few that never show up. Nothing important yet, and it's probably the fuckwit delivery person putting the envelopes in the wrong box. There's a nice link in there to report stuff that you didn't get that is supposed to go to the postal inspectors.
|
# ¿ Oct 1, 2017 16:19 |
|
Yeah, just the FINAL NOTICE letters from "Car Warranty" companies. The W2, replacement bank cards, and DMV stuff is good though.
|
# ¿ Oct 1, 2017 19:50 |
|
Had a phone rep ask me my security question of "Who is the man that would risk his neck for his brother, man?" My correct answer of "Shaft" didn't get a reply of "You're drat right"
|
# ¿ Feb 1, 2018 17:14 |
|
Gromit posted:I have a distributed password cracking network in my lab but it's been a while since I downloaded any new dictionaries. I have about half a gig of words and known passwords, but unicode and foreign language mixes things up a lot. I've not really had a good think about Chinese language passphrase use, to be honest. Thankfully most of the data I come up against is in English, and if not at least uses an English-language keyboard. If I expand my password character set, I may as well do all of unicode, even points that aren't assigned yet. Something like this: https://www.sethserver.com/unicode-random-password-generator.html ĞŚĀ☇😖¿NJŀö😙ƉƖĭȀØ😐/ȟ😰¯wƩƋ♊😐Ŝ
|
# ¿ Feb 13, 2018 02:25 |
|
This certificate is OK. bitprophet posted:Do you mean specifically hardening the Jenkins servers/services themselves, or securing the overall workflow? Your 2nd comment implies you're at least thinking about the latter, in which case you should take a look at secrets management systems like Vault. Having a tool in charge of distributing & rotating secrets, and enforcing that they are on short-lived leases, is a big step up from "meh I just dropped my, or a similarly long-lived, AWS API secret into Jenkins' config, now an attacker gets to be god forever if they break in". Instead, they only get to be god for, say, 15 minutes, or an hour, instead of retaining those privileges for weeks/months until they're ready to leverage them. Also, use instance roles. No long lived IAM keys on EC2 instances. So much hand wringing with that.
|
# ¿ Feb 28, 2018 21:25 |
|
What do you want that cloudwatch doesn't give you? Cloudwatch isn't that in depth, but I you have it already. My next go to suggestion is datadog.
|
# ¿ May 23, 2018 20:27 |
|
RFC2324 posted:I've actually not looked into cloudwatch, tbh. I'm having trouble believing that Amazon is providing every solution i need with no effort so just keep ignoring their offerings The graphs you get on the EC2 console are basically what you'll get out of cloudwatch out of the box.
|
# ¿ May 23, 2018 21:20 |
|
Mustache Ride posted:Elastic means the timeline is always hosed. If you're able to have Enterprise level data following into it and it won't crash hilariously every other day, we need to talk. I guess Loggly makes it work for their product. I've otherwise never seen it work beyond "I guess this is OK sometimes"
|
# ¿ Jun 29, 2018 15:11 |
|
wargames posted:hack the matress. or news at 11, can hackers turn your matress into a bomb stayed tuned after the break. Hackers can turn your matress into a hell trap. https://www.youtube.com/watch?v=W7t6S6vg6U8
|
# ¿ Nov 30, 2018 20:18 |
|
Anyone using linux on Azure? I've turned on the System Assigned Managed Identity for some VMs on launch. It's like giving the VM a IAM instance role in AWS, as far as I understand. On boot, cloud-init runs, and adds the SSH Public Key I specified and adds it to authorized_keys for the user I specified. However, it also converts the Managed Identity keypair to ssh format, and also adds that to authorized_keys. This doesn't make any sense to me, the key pair is just for the software on the VM to authenticate to Azure APIs, not for stuff to gain shell access to the VM, right? I feel like I'm losing my mind because both Azure support and the cloud-init project don't seem to recognize that this is a problem.
|
# ¿ Feb 6, 2019 23:05 |
|
FunOne posted:My preferred password manager is now alerting for a Trojan. I'm guessing the guy running it had his dev pipeline compromised at some point. Whats the recommended password manager for multiple desktops and mobile. Which one is that?
|
# ¿ Feb 12, 2019 23:05 |
|
Hey, why is this log full of "Penis1"? Me to dev lead: "Hey, one of your guys put their debugging statement into prod here." Oh, wait. Those are POST bodies, Penis1 is somebody's password. "Uh, Penis1 isn't a thing they typed, but they still need to fix that."
|
# ¿ Mar 17, 2019 16:08 |
|
In modern android, only the work stuff is wiped or controlled by the employer. https://support.google.com/work/android/answer/6191949?hl=en I can also turn off work mode while on vacation, all notifications and syncing are disabled.
|
# ¿ May 17, 2019 20:11 |
|
I'm pretty sure the AWS console will show the 2fa prompt screen even if the password is wrong. I've gotten a few users come to me with "It keeps prompting me to resync my token, I'm about ready to say gently caress mfa" but in reality they just got their password wrong. It does expose that the user does exist, and does have mfa though. I'm also not sure if it does it with yubikey auth instead of TOTP.
|
# ¿ Sep 19, 2019 19:46 |
|
Google added a password checkup for your browser saved passwords: https://passwords.google.com It alerted me that I had a bunch of reused passwords! I used the same password in some airline's app as I do on the airline's website I guess it's hard to tell the difference, but the amount of false positives means I don't want to look at it again.
|
# ¿ Oct 2, 2019 16:07 |
|
xThrasheRx posted:Yeah its free, but they lock alerting and "MACHINE LEARNING" behind huge pricing, which is bullshit. That kinda behaviour triggered amazon to forkish elastic stack to their own thing - which is almost identical. No, AWS forked because all of X-Pack, even the no-cost parts, are under a license that says AWS can't use it. The basic license is only free if you aren't charging users for ELK, for the sake of ELK. If you want to offer ELK as a service, you are limited to the OSS parts. We use some of the basic level features in our internal ELK, but use only OSS on the ES that contains data that our customer-facing app searches. We could probably use basic on both parts, but it saved me from talking to legal for a re-review.
|
# ¿ Oct 10, 2019 10:51 |
|
ChubbyThePhat posted:As many of us already say, just don't pick up the phone if they aren't in your contacts. If it's important they'll leave a message. Or if it's a robocall, they will leave a message too!
|
# ¿ Oct 16, 2019 19:18 |
|
You can run ELK yourself on EC2 or whatever just fine?
|
# ¿ Dec 17, 2019 22:59 |
|
Ynglaur posted:Is the issue that the individual EC2 instances need a lot of RAM? If the workload can be spread over lots of little EC2 instances then you could start with that and setup aggressive auto-scaling rules. You don't just autoscale elasticsearch. You'll be spending your whole life with shards moving around, reallocating, losing data. You could autoscale Logstash and Kibana, but the meat is in Elasticsearch. We run an ELK cluster, but we use ES as part of our product and most of my ES experience is on those clusters. I can't say anything like x events/second needs a cluster with y nodes or anything like that, but I will say that our new clusters are on i3en nodes and using the on-board nvme storage instead of EBS. We were on an loving ancient version of ES that didn't have index snapshots to S3, meaning we couldn't tolerate the volatility of instance store before. That change really bought us a ton of efficiency, and is going to save us a bunch of money. Elastic is pretty clear about using instance store instead of EBS, and they are right about that. So maybe they are right about the other recommendations?
|
# ¿ Dec 19, 2019 21:51 |
|
Bonzo posted:I can remember an old Live Journal account (back in '01 or '02 I guess) of a guy who was manning the data center despite flooding in NOLA and all the poo poo he did to try to keep servers up and running. I also seem to recall places that had generators in the basement which is useless in a flood. Yeah in '05 SA was hosted at that datacenter. SA was taken down and replaced basically with a link to that guy's site.
|
# ¿ Jan 21, 2020 21:46 |
|
Martytoof posted:At least the big players have their act toget-- Yeah, we can't figure out how to use Azure either. ~ Microsoft Any tickets I've opened being published will be them just doxing their own stupidity. Three months of "working as intended" that turned into "oh wait actually that is bad. Here is the CVE."
|
# ¿ Jan 22, 2020 18:20 |
|
The password is just more numbers. They do some conversion before including it in the URL.
|
# ¿ Apr 7, 2020 17:00 |
|
I like the ones that shuffled the letters, and then had a corresponding font to unshuffle the letters. Copying would just give you nonsense, even viewing the source. It must have killed seo, but maybe they were cheating that. Also gently caress sites that block paste in form fields. I have the don't gently caress with paste extension installed pretty much everywhere.
|
# ¿ Apr 21, 2020 13:01 |
|
Yeah, this is good, but I'd suggest using %C instead of %r@%h-%p, where available. I hit path length issues on some longer hostnames, but %C is a fixed length has that avoids that. You might also like to use ProxyJump, and tunnel all of your connections through one host first.
|
# ¿ May 11, 2020 00:48 |
|
It's showing route53 as the provider. A looks fine over here. NOERROR on AAAA.
|
# ¿ Jun 22, 2020 21:51 |
|
I have to make some change to a domain managed with GoDaddy, and the DNS management panel was just not loading. I opened a chat, and they asked for the account number + support PIN, but then they also asked me to drop a Google Auth code in the chat. I refused, because that seems completely wrong. Am I overreacting here?
|
# ¿ Jun 24, 2020 21:15 |
|
The Fool posted:There should be literally no reason for them to need your auth code unless they are logging in to your account as you, which they should not be doing. I think that's literally what they are doing I've been asking them to drop godaddy for years now.
|
# ¿ Jun 24, 2020 21:20 |
|
I'm more of an AWS guy, but I would assume that the credentials used to deploy the function are over broad, or the credentials assumed by the function are over broad, or there's something else interesting about the function. Did you find the source of the function next to that deployment spec?
|
# ¿ Sep 28, 2020 00:02 |
|
Did any of them stumble into a SCIF?
|
# ¿ Jan 7, 2021 22:48 |
|
You may be able to prove your code does what you have in your spec, but your spec can also be flawed.
|
# ¿ Jan 27, 2021 23:20 |
|
I have a dumb email question: If I have DKIM set up, do I also need SPF for DMARC? I thought both should be aligned. I was checking our SPF record and noticed that mailchimp was missing. They don't have any SPF info on their site and their support just told me that they don't require me to put it in.
|
# ¿ Feb 9, 2021 01:30 |
|
|
# ¿ Apr 26, 2024 16:15 |
|
Albinator posted:As far as I can see, you need Thanks, I eventually found that one. Rufus Ping posted:You shouldn't need to change your SPF records for mailchimp - they use their own servers for the 'envelope from', so they are the custodians of the SPF records not you Yeah, SPF has been passing on mail clients for example. However, I set up a DMARC report and it's showing mailchimp as 0% SPF aligned: I also see emails from rsgsv.net which I believe is also mailchimp. On other services, like SES, I've had to set up whitelabel return path domains.
|
# ¿ Feb 9, 2021 14:54 |