• 0 Posts
  • 21 Comments
Joined 5 months ago
cake
Cake day: June 11th, 2024

help-circle

  • Whoa there, I never have - and never would - suggest that anything should be protected by a single factor. Where are you getting that?

    Authy sucks. It’s not just that the TOTP they send you might not be secure (SMS is easily exploited), it’s been shown that they’re leaking other personal data.

    You don’t have to cobble anything together. As you say, self-hosted BitWarden is a good option. As for your “glue”, you should trust it more than a third party, since you know what went into yours, and its not a massive honeypot treasure trove.

    Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.


  • Who said you shouldn’t be able to access your backups remotely?

    A lot of tools allow you to set up google drive, drop box, whatever. Yes, this brings you back to cloud, but it’s better to have a hacker wonder if some random google drive might have juicy auth data than know for sure that some SaaS platform absolutely does. Also, even if they got the file, it should be encrypted, and should be a massive pain to get into (at least long enough to change the passwords stored in the file).

    The other (better) option is to have it back up to sftp (or similar), which you manage yourself on private servers. Normally this would be accessed through RSA and/or TOTP, but you can set up secure backup methods (combo any/all of; port knocking, long-password, human-knowable timed password, biometrics, security questions, other trusted humans that have some TOTP that can’t open your storage alone, etc).


  • Stop. Trusting. Cloud/SAAS. Security. Apps.

    Don’t give them your passwords and private keys, because you can never know of they’re being stored responsibly, or who has access to them.

    Don’t give them your personal details, they don’t care about protecting user anonymity.

    Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.

    “But that’s not convenient!” - It’s plenty convenient, find an app that supports your phone’s biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.

    “What if I lose my phone?” - Keep your files backed up. If you don’t do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.

    There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create honeypots catnip for hackers, and making you pay them for the privilege of being an easy target.

    Edit: I’ve been using “honeypot” wrong. It would actually be good if the hackers tried to hack one of those.


  • It’s not harmful to tell average people who run windows to disable updates, because you can’t disable the updates as a single-license scrub.

    (Theres usually some hacky bullshit to delay or block updates, but they break constantly and you have to keep finding new ones, because Microsoft thinks of their userbase as stupid babies who can’t be trusted with their own hardware).

    Also, you live in your own personal slice of Windows control with your hundreds/thousands of systems being managed with group policies. I have no doubt that you don’t see issues, because your company chose a few models of laptop or desktop and know how they’ll react to the updates. You can turn off the annoying shit, and choose specific updates at specific times. Microsoft doesn’t want to piss off their corporate customers, especially the ones with massive spending contracts with Dell/HP/Lenovo.

    Thing is, outside of you - and your groups of other corporate windows admins - the general user (with varied hardware/software configurations) don’t have the safety of catching issues on a few test machines and delaying a deploy to the fleet, or even the option to delay updates at all, and they’re screwed over constantly by random broken drivers, system setting that aren’t respected between updates, and bloat/backdoors that you can’t opt out of.

    It is you who is being disingenuous, by suggesting that the windows update system has no flaws, because you operate in an extremely controlled environment with tons of safeguards and - ironically - way more autonomy.













  • There’s a whole lot of advice here, and practically none is it is aimed at a beginner. You don’t need a reverse proxy or SSL to get started.

    1. Install the OS - You’ve done this already.
    2. Install some kind of http server - Apache is fine, people recommending anything else are overcomplicating. The package is called either apache2 or httpd, depending your flavor of Linux.
    3. Put your files in the web root - Usually /var/www/html/. If the file is something like index.html, it’ll load as the default page without having to type http://youraddress/index.html
    4. Restart Apache - different across OSes, Google will get you there. Something like systemctl restart httpd, but “systemctl” might be “service”, and “httpd” might be “apache2”.

    Once you’ve done that, you have a computer that will serve your html files when someone hits http://[yourIP]/ . At this point, make sure your router/etc is allowing connections on port 80 (the http port), specifically to that one computer. Also, don’t allow that computer to connect to the rest of your home network (not getting into a step-by-step here; every home network uses different hardware), because now that the Internet can touch it, it’s a target for hackers. If all they can touch is this one computer (start calling it a server), the risk is minimal.

    If you want to point a domain at it, that gets into DNS (the Domain Name System; literally how domains are mapped to IPs so humans don’t have to remember them). Cloudflare has guides for this.

    Since it’s your home IP, it might change. Either be fine changing your DNS if your IP changes (which usually isn’t often if you have a decent connection), or look into something called “dynamic DNS” (just a thing that grabs your current IP and updates your domain to point at it).

    NOW you can start getting into things like SSL. Remember that SSL doesn’t protect you from some guy trying to hack your site/server, it just makes it harder for them to view or change content while it’s being sent from the server to a site visitor (or back again, if you have a form).

    Google “add SSL to Apache”, you’ll find references to “VirtualHost” and a bunch of config lines starting with “SSLCertificate…”. You’ll also find plenty of references to “LetsEncrypt” (a free SSL provider) and “Certbot” (a program that lets you generate the certificates with LetsEncrypt). Follow those.

    As above with port 80, you’ll need to make sure that port 443 (the https port) is allowed for your server through your router. Again, block your server from connecting to the rest of your network. The Internet can touch it, someone will try to hack it. The SSL doesn’t save you from this.

    As for reverse proxies, you don’t need one unless you’re getting into load balancing or header manipulation (which means you’ll probably never need one for this project).

    I’m happy to answer follow-up questions.