It’s really not bad, you just have to rememb

Segmentation Fault - Core Dumped

Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.

(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)

The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.

Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.

You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.

Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.

After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.

All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:

• Any successful ssh login
• Any successful root login
• If a port starts listening that you didn’t expect
• If the system watching for these things goes down (have two systems that watch each other)

That list could be much longer, but that’s a good start.

After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.

R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.

To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)

I can’t get the title to work.

It says 6 lanes in each direction, but I only see four, and can get to five if I count on/off ramps.

It says 8 feeder lanes, but 8 + 12 main lanes is only 20, not 26. Unless it means 8 per side, which would add up to 28.

Regardless, the best I can do is the off ramp in the top left. It has three “main” lanes and two left turn lanes, for a total of five. If I count the ramp next to it in addition to the four core lanes on that side of the median, we get ten lanes flowing from top to bottom - still 3 short of 13, which we’d then have to match on the other side to get 26.

I would call this 8 lanes; 4 in each direction. You can fudge the numbers by counting ramps, but even if you count parallel roads too, I don’t see anywhere close to 26.

Top shelf? Disrupted my circadian rhythm

There is no such thing as easy or hard.

Give it a try, fuck it up, and give it a try again. Try not to fuck it up in the same way as the first time. Repeat until it works - it will work eventually.

It took me about 6 hours and 3 disk re-formats my first time. I was particularly bad at it. I barely knew what a disk was, nevermind a partition.

Actually I’m still not sure what a partition is.

You’ll do fine :)

I strongly recommend the NAT loopback route over attempting split-horizon dns.

It really depends on the parameters of the thought experiment.

If everyone suddenly received a lot of money, there would be a wild period of adjustment before we figure out the pricing system again and life continues as normal. Even though there’s a lot more money, there is not magically more TVs to buy. Nor would we all start building tv factories - there’s not magically more copper or concrete to buy either.

If we all got more money and buried it in our yards and swore never to use it, then nothing has changed. For the sake of the thought experiment, someone would break the promise (I would - I want air conditioning), and then everyone else would break it too, and we end up in the previous situation.

If everyone were suddenly truly wealthy - as in stuff / things - some might think we would chill out and coast for a while. But having satisfied our big needs ( I am not being hunted by tigers) and our medium needs (Air conditioning, yay!), I imagine humanity would just keep working - there are always more problems to solve / there is always more work to do.

Arch-packaging-haskell moment

My apologies, allow me to elaborate - grayhatwarfare.com is a cybersecurity company that crawls and indexes publicly-available blob stores, like s3 buckets, azure storage accounts, digital ocean spaces, and google cloud object stores. They offer limited search capabilities for free, no account-wall.

They are a legitimate cybersecurity company, despite their name.

My employer is working on a sensitive data scanning service, to alert clients in case their information surfaces in these buckets (even if they do not own the bucket), leveraging the grayhatwarfare api. In short, allowing us to detect and remediate the problem, which I hope you will agree is a white-hat activity :)

I do not publicly condone breaking the law. I reserve the right to criticize the DMCA tho ;)

And if google dorks aren’t interesting enough, because google does not index enough public buckets for you, then we get to learn about gray hat warfare too :)

I pay attention to credit card readers.

I have gotten to know their makes and some models. I have developed preferences. When I go to a run down establishment and they have a nice reader, I am pleasantly surprised. I know that walmart uses ingenico isc250s, and they do not support tap. I know that dunkin has high quality readers, and sometimes tim hortons does too, but less frequently.

When leaving a place, I might say something like “damn, you don’t see that model of verifone very often”, and my friends will look at me funny.

Semi-related, did you know that most receipt printers have embedded telnet servers in them?

Those things are awesome. They weigh next to nothing, the small ones have 60 inhales in them, and a single hit is night and day when running at high altitude. A buddy didn’t have time to acclimate before a race, so we got him one as a joke, and it unironically helped him a lot

As “down”, I hereby grant maculata retroactive permission to make the above joke; and formally proclaim that I found said joke to be at least somewhat amusing

This is cyberpunk as hell, and awesome.

Unfortunately apple does not expose mac addresses to apps, so iPhone users can’t do it :(

Look, the monks in belgium could survive on beer alone for months at a time, and surely coors lite is not that different. I’ll be fine!

We could call it … WebAssembly! And now it’s a C compilation target, which means we can run Node.js in the browser, to get a javascript runtime :)

They actually changed it to the new spelling in Q3 of 2016

Oh for just one time
I would take the northwest passage
To find the hand of franklin reaching
For the Beaughpheourght sea

Tailscale might be the best bet at this point. It will manage the wireguard mesh for you, and use nat holepunching for handshaking instead of needing listening ports.