Language:
switch to room list switch to menu My folders
Go to page: 1 2 [3] 4
[#] Fri Jan 24 2020 10:47:07 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

The best way to run Kali is possibly off a bootable image DVD. You can't save that way - at least not to the system, or update the disk image, of course - but there are no forensics left on the actual machine between sessions. I suppose this assumes you're doing black hat stuff with Kali... but I'm sure there are legitimate cases where you don't want outside actors being able to recover your pen-test results from a compromised machine. 

You can always reimage the machine for each client, as well. 



[#] Tue Jul 28 2020 15:29:26 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

Boss has had all kinds of problems with the hosted Quickbooks server - and I can't really help him. He has to call tech support. The machine has been losing settings and looks like it is rebooting occasionally with core dumps. They make us go direct print, then the next agent makes us go back to Uniprint, then we wash, rinse repeat.


This is the problem with cloud based solutions. It is just someone else's computer, and you're largely relying on their expertise. IT is dead.

[#] Wed Jul 29 2020 14:04:52 MST from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

"It's in the cloud!"

Yeah, whatever.  Run your own "cloud" or lease a private cloud from a hosting provider if you care at all about your IT workloads.



[#] Wed Jul 29 2020 21:10:25 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

 

Wed Jul 29 2020 14:04:52 MST from IGnatius T Foobar

"It's in the cloud!"

Yeah, whatever.  Run your own "cloud" or lease a private cloud from a hosting provider if you care at all about your IT workloads.



To be fair, he didn't have the budget or the expertise to do anything but what he did - he needed a managed hosted solution. But it is getting to the point where he wants to grow and he is going to have to consider migrating to an environment where he has more directly control and ownership of the server and his data. That'll be more expensive, and he won't like it - but it is one of those cost-centers he is going to have to face to get the kind of service and availability that he'll need going forward. That'll be a fun discussion when it happens. 

 

 



[#] Tue Nov 10 2020 19:36:11 MST from TheDave

[Reply] [ReplyQuoted] [Headers] [Print]

There's a T-shirt I see advertised sometimes that says "There is no cloud, it's just someone else's computer" and every time I see it, I ALMOST buy it.  Maybe next time it comes around.



[#] Tue Nov 10 2020 19:57:54 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

I love that shirt. 



[#] Mon Nov 23 2020 22:18:28 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

So, some British cunt said the BBS was designed like shit and ran like a dog a few days ago. 

I suppose he is right - but, honestly - that *is* sort of the point. This is a punk club in a warehouse park with extension chords running from outlets up to a "stage" that is really just a wooden platform made out of scrap pieces of plywood and two by fours - and that is by design. 

But... then today, the BBS was REALLY slow connecting... it still is... over the public network. It is so bad, I'm connected over my private back-door, which I usually have turned off. 

And of course, if it is slow, a lot of you are probably trying to connect, having it take forever, and just giving up - and that doesn't work. I can't have that. 

So... the thing is, I originally threw this up because I had a spare Pi 3B lying around - and I mostly wanted to see if the Pi could do it - and it can. Fairly well, I might add. 

There are a few problems, which might come down to Raspbian Pi being a stripped down Debian for ARM - so a Pi 4B won't solve those issues. 

But I'm on this slippery slope - I can feel it. I was going, "Well, maybe a Pi isn't what I need. Maybe an Intel NUC is what I need..." 

So, in no time at all I was playing mental tug of war like this... 

An i3 or i5 is going to run me between $300 and $500 no matter how I cut it. But I can do a Pentium or Celeron for under $200. But, does a Pentium or Celeron really perform that much better than a Pi 4? But... it is Intel, so I can run a proper Debian, Ubuntu or CentOS - instead of Raspbian Pi or some other Linux for ARM. 

So, now my $35 spare Pi on my home network has become a $15 a month Public IP address service, and I'm thinking about adding on a $300 full fledged PC... not that I don't have 3 spare Mini-ATX machines in my closet... but as small as they are, they're too big to put up on the shelf in the laundry room. I need something *small*... 

For my BBS... that gets maybe 3 calls a day and maybe 5 to 10 messages a week. 

And, the thing that got me contemplating all of this, wasn't the English cunt, and wasn't that the Pi isn't running fast enough... 

It is something out of my control that would have affected the NUC the same way as the Pi - it is my ISP having network issues. Our TV is buffering and dropping in quality, my daughter and wife are complaining about speed... I'm seeing slower connections to all of the outside sites. It'll get fixed, and things will seem better. 

This is me working through why I don't *need* to spend $300 or more on a NUC. If I'm going to spend that kind of money on a useless PC - there is a refurbished SX-64 with a 1 year warranty for $599 that has been calling to me, and a $799 recapped and refurbished Amiga 1200 that I'd love to add to the collection. They're both too much... but their prices are only going UP. A NUC is going to be nearly impossible to resell the minute I buy it - but I know if I could find a used one, the guy selling it would be asking $25 less than new - because if you're selling a NUC, you know that the person LOOKING for one hasn't got a lot of options to save a buck on it. 

I do not need a NUC - and the Pi is fine. If you guys disagree, I'll send you my Venmo account and you can start a WallOfHate fundraiser for a better system. :) 

 



[#] Mon Nov 23 2020 22:59:29 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

I mean, I was seriously considering paying more for a new i3 NUC than I paid for this Macbook Pro i7. 

The smarter thing to do would be to shop around for an old i7 laptop and refurbish that and turn it into the BBS - if that was the way I was going to go. Just let it run 24x7. 

I've got to think over my options, here. 



[#] Sat Dec 19 2020 18:31:21 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

So, one of the interesting things about the world wide web's evolution... 

I keep thinking that I'd like to have a low quality version of The Sanitarium playing on the welcome page of The Sanitarium before you log in... but every time I consider this, I remember... 

People hate web pages that play unsolicited sounds. It is one of the most counter-intuitive things possible - we love our multi-media to have sound - and when it first came out, I think people thought it was pretty cool. But pretty soon, it became a hassle, and now people despise it. It slows down page loads, it narcs you out when you're at the office - the first time you go to a webpage it is cool, but by the 10th time, you're sick of the tune. 

It is a bling-thing for HTML that totally failed. 




[#] Tue Jan 05 2021 12:27:20 MST from ParanoidDelusions

Subject: donovancolbert.blogspot.com Latest Blog

[Reply] [ReplyQuoted] [Headers] [Print]

A PC Wizard has Carpal Tunnel Wrists 

 "How do you think he does it, I don't know... what makes him so good?"

 

For my next trick, I will make floppies levitate


TLDR: There are two kinds of SSL/TLS certs - CA Signed verified certs and Self Signed unverified certs. Both give you an encrypted session that can't easily be hacked. If you get the address from someone you trust, you are theoretically just as safe with a self-signed cert as with a CA verified Cert. Read below for full details. 

 

For a long time people have called me some variation of a PC wizard. In the past, it has always meant, "he is really good at computers," but lately - I feel like being a PC wizard has actually become perceived as something like being a master at arcane mystical knowledge that is unknowable and out of reach to the majority of the population. 

Recently I put up a private-blog and web/telnet BBS at: 

https://wallofhate.com 

Feel free to visit and create an account if you want to hear even more of my thoughts, ramblings, opinions and experiences. 

I had decided, like many of my friends and associates - that I had lost faith and trust in the large corporations that increasingly have a choke-hold on the flow of information on the Internet. John Gilmore is famously quoted as saying, "The Internet interprets censorship as damage and routes around it". This is true. The decentralized design of TCP/IP, the backbone protocol of Internet traffic - is designed to break traffic into packets, and send those packets out over multiple routes to the destination, and to reroute if one route is broken or unreachable. Sites like Facebook and Twitter became whirlpools of self-contained Internet traffic - destinations like a digital Hotel California, where you can check in any time you want, but you can never leave. The trick is, you opt into this Faustian agreement - by simply becoming so consumed with all of the content contained within Facebook's network that you seldom venture outside it. When you do, you go to some other dominant destination. Twitter, Google, Amazon. They don't need to worry about the Internet routing around censorship, because you're only consuming data within their private networks, which they control the flow of information within. Increasingly, they assure you that anything outside of their network is "fake news," is "untrusted". It hasn't been "fact-checked". 

So, I put up an alternative. The number one reason people tell me they don't visit the website is because they get an ominous warning in their browser that "This site's identity can't be verified and may be trying to steal your information." 

This is Fake News

 

The alert above warns that "Your connection isn't private," and then describes that "attackers might be trying to steal your information from secure.wallofhate.com (for example, passwords, messages, or credit cards.)"

This is where being a PC Wizard comes in. People see this warning and they imagine that hackers are going to use a site to infiltrate their PC and gain access to their banking and financial records, watch them on their security webcams, and take control of their connected refrigerator and other appliances. 

The warning is technically true. The site claims to be a site, and it can't be verified that the site is really who it claims to be. If you get an e-mail or text telling you that your Bank of America card has been compromised, with a link to click on, and you click it and get this message - then by all means run away. They're trying to get you to enter your account information on a fake site so that they can then log in to the real site and get access to your account. That is how a phishing scam works. 


But if a friend you trust gives you the URL to his personal or private website and you click on it and get this message - you're fine to proceed to the site - especially if you're smart enough not to use the same account name and password on his site as you use on your Bank of America and Verizon accounts. 

Here is how this works. In the early days of the internet, we used a protocol called HTTP (Hyper Text Transport Protocol) to connect to sites on the WWW (World Wide Web). For most people the WWW has become the internet. It wasn't a big problem when you just logged in and read a page. But as web pages became more interactive, and started to hide behind account logins that required passwords and had confidential information - this became a concern. When people started using public shared locations to access those sites, it became a HUGE problem. HTTP in an unencrypted, plain-text (or clear-text) protocol. Anyone sharing the network with you can look at your traffic and see everything you type in and send to the server with HTTP. It was very easy for hackers to go to a Starbucks or airport or hotel lobby and set up something called a "Man in the Middle" attack, where you thought you were connecting to Starbucks, but you were really connecting to their PC, which was impersonating Starbucks. Their PC would in turn hand you off to the real Starbucks connection, but all your data passed through their PC, where they would log it and steal it. 

So, HTTPS, or SSL became popular. It is an encrypted tunnel protocol version of HTTP. Your PC connects to the destination site, they share some magic information back and forth, and set up an encrypted tunnel before any user information is exchanged, before any log-in or post is written or account information is viewed. It doesn't matter if there is a man in the middle, because the data isn't in clear-text. They can see that data is going back and forth if they hijack your connection, but they can't see what that data says. Of course, hackers figured out how to crack that encryption, and so now it is a cat and mouse game of the encryption improving, and then the hackers cracking the encryption algorithm, and then a stronger encryption algorithm being designed. 

This part gets a little complex. It is the part where people start going, "You've got to be magic to understand IT." To enable SSL/TLS the site owner adds a thing called a "Certificate" to their webserver. It is a file that verifies that the site is who it says it is. It makes sure the names all match. I can't just put up a server called "https://google.com". The Internet has to be sure that every site on the internet is unique and matches a known IP address. This is how you type in a site name and get there. You talk to a thing called a DNS (Domain Name Server), and the DNS server looks at the name you want, looks at a list of names, finds the name you are looking for, turns that into a numeric IP address, and then sends you there. It is a little more complex than that - but that is the basic way it works. But I can get the domain name support.ru and then put "google" in front of it on a server and create a server called "https://google.support.com" This is far different than a site called "https://support.google.com" One is obviously real to an IT pro, the other is obviously fake. But to an average user, they both look like Google's real support site. But I can also send you a link that LOOKS LIKE "https://support.google.com" in an e-mail, but then redirects you to a site called "https://google.support.com" and that even might trick some IT pros if they're not paying attention. Certificates make sure that the site you are going to matches the name of the server. So, if the cert is for "support.google.com," the cert needs to be issued to "support.google.com". If it isn't, it'll warn you that there is something wrong with the cert when you try to connect. Which it should. 

The browsers, made by companies like Google and Apple and Microsoft, started adding these ominous warnings designed for the lowest common denominator of Internet User, that warned if something seemed wrong with the Certificate. If there was a mismatch between the name on the cert or other issue that could possibly indicate the site was fraudulent. 

At the time the idea was that if you were accessing a site over the Internet - the cert needed to be verified and issued by a trusted 3rd party authority. These are called Certificate Authorites, or CAs. They are a handful of big corporations not unlike Facebook, Microsoft and Apple - who have the sole authority to issue "trusted, signed certificates". Generally speaking they charge money, and it isn't cheap, for a certificate - and they make you go through some fairly involved hoops to verify you are who you are and you actually own the site for which you are getting a cert. It isn't an inherently bad thing. It actually does make the Internet more secure and more trusted. 

But this is where average users not understanding the technology becomes a problem. When Information Technology started down this route, the idea was, "If you are hosting a public Internet site that anyone can connect to, you need a CA issued trusted signed certificate - but if you're hosting an internal company or business webserver, the IT staff can tell the users to just ignore the frightening warning message that the certificate isn't trusted." 

 

 

 


So, the industry came up with a thing called a "Self-Signed Cert". That just means that the website operator knows they are the site they claim to be, knows they own the site, and doesn't need to spend money or jump through hoops to make the site secure, encrypted, and available to their employees. In fact, a site with a self-signed cert that is administered by competent IT security professionals is safer than a site with a CA signed cert that is administered by morons. The number of security breaches at high profile sites over the years proves this is true. The cert itself doesn't make you, or your data safe. The knowledge of the people running the site, and your own knowledge, are far more important to your data security than a Trusted vs. an Untrusted certificate. To be absolutely clear - everything else being equal - a self-signed certificate has the same level of encryption and security as a Trusted Cert verified by a Certificate Authority - assuming you trust the site operator.  

 


The problem seems to be that people don't understand the frightening message their browser puts up when they hit a site that has a self-signed certificate. They think maybe their browser knows something they don't - that it has detected some sign that the site has been faked. If the user knows the site and received the site address from a trusted source - their web browser knows less than they do about the authenticity of the site. All the browser knows is that the site has a cert that is self-signed and not issued by an official Certificate Authority. That is literally all the dire warning about attackers trying to steal your information means. Your web browser doesn't know this - it just knows that this is something that attackers trying to steal your information do. 

Increasingly - this results in a troubling situation. It reinforces the tendency of average users to stick to large, official corporate websites and to run away from safe, but . Certificates become more like a license and registration to host a "reputable website". A secure SSL/TLS website is a secure SSL/TLS website - even if it is a scam site, the data transferred is encrypted. If you were connected to a scam website, other cybercriminals in between would not be able to see the encrypted data transferred between you and the scam site, if it were over a SSL/TLS connection. Only the cybercriminals on the other end would have access to that data.  SSL/TLS is secure, regardless of it the site is self-signed or used a CA verified cert. So self-signed sites are more like pirate radio. Unlicensed and unregistered cites that haven't gone through an official verification process. In the early days there was a lot of talk about the "Democratization of the web," and how it would allow everyone to have a voice that can reach anyone else. SSL/TLS is, perhaps unintentionally working against that goal at this point. More accurately, it may be being intentionally abused by the Big Tech industry to silence voices that Big Tech doesn't want heard. If so, all that Big Tech is doing is using consumer ignorance about the technology to scare them away from sites that do not use CA issued certificates. This is probably not healthy overall for the web, for the consumer, or for the spread of knowledge. To few big corporations control the flow of information in our society - and unfortunately SSL/TLS has become a tool that helps them maintain this control. 

SSL/TLS is necessary and a good thing - but consumers need to understand it better - and browser companies should consider changing their warnings or linking to better descriptions of what those warnings mean. If they're going to scare the public about sites that do not have CA issued certs, maybe it should be their responsibility to educate the public better, as well. Right now their approach is either lazy or intentionally disingenuous. One is irresponsible, the other approaches being evil. The question I increasingly find myself asking is who is bigger threat to me, the scammers that want to steal my money, or the corporations that seem to want to steal my voice?   



[#] Tue Jan 05 2021 13:00:37 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

The real problem is that people now have Twitter sized attention span, and this is a "Game of Thrones episode," long blog post.

People are content to have Facebook and Twitter and Google and Microsoft tell them what sites are safe and what are not. Even a lot of those that understand what is being done to them go along willingly with it. 

 



[#] Tue Jan 05 2021 17:36:43 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

Also, I'm not trying to shame anyone with that blog post. The first time I saw this kind of browser SSL error message, I freaked out too - because it makes it sound like some sort of built in Anti-Malware in the browser has detected an actual attempt to fool you into clicking on a site you shouldn't - and the media has driven into our heads what an ever present danger this is. 


I just kind of assumed that everyone who has been involved in Citadel - especially the guys who code - have always known more than me about information technology, and always would. It never occurred to me that some might actually have been out of the game for a while and not be current on the latest security standards for web development. 

I also forgot that a lot of my friends aren't technology professionals at all - and they don't necessarily work in big companies with Intranet servers that might have Self-Signed certs and where the employees are briefed about the false-alerts and how to bypass them before the internal sites go live. 

So... I was taken by surprise when I kept hearing, "Yeah, they saw the security alert about fake sites when they tried to log in and decided not to risk it..." and had to be reactive instead of proactive about trying to explain what is going on here. 

That is totally on me. Bad roll out. 

Also, I didn't really get serious about at least making it a self-signed cert that had correct information until the complaints started coming in - because - seriously, this is just a BBS - the only thing they can "steal" is your account, or see what you're about to post before it becomes public. 

But, making it more of a public, permanent site - I should have upped the game on my professionalism about configuring these things for the general public ahead of the general public starting to arrive. 

 



[#] Tue Jan 05 2021 17:54:01 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

I've also had a few users concerned about the security of the Online Users log showing the IP address users are logged in with. This is something I wish Ig would add a switch to disable - but the fact is, every website you connect to has a log of your IP address and that you connected - and your e-mails often contain your embedded original IP address too. Your IP address is assigned by DHCP by most ISPs - it changes frequently. It generally can't be used to trace you any closer than maybe your basic neighborhood. At least, not without tools available to your ISP and the authorities. 

 

But if you're concerned about it here - you should be concerned about it *everywhere*, and that is where a VPN comes in. They're trivial to use, there are free and paid ones. If this is what is stopping you from using the BBS - it should stop you from using the web altogether unless you're surfing with a VPN. 

 

For example, I am NOT actually connected from Prague, right now. 

 

But if you look at Online Users - it says I am: 



[#] Sun Jan 10 2021 19:04:31 MST from Google Bot

[Reply] [ReplyQuoted] [Headers] [Print]

At one time you could change what room you were in and the IP address field.

If you log in via SSH or the text client and .ec you can hide yourself from the online visitors.



[#] Sun Jan 10 2021 19:10:44 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

Interesting. Some of my users might find this information useful.

Although the BBS may get locked down, or change to I2P, in the coming weeks. In fact, I think something like that is quite likely. I'm not as interested in reaching a large audience as I was in the past. I'd rather have a very select group of people I trust to interact with.

The Sanitarium may actually become an Anti-Social Networking site.

 

Sun Jan 10 2021 19:04:31 MST from Google Bot

At one time you could change what room you were in and the IP address field.

If you log in via SSH or the text client and .ec you can hide yourself from the online visitors.



 



[#] Mon Jan 18 2021 15:25:28 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

I keep thinking about enabling e-mail on Citadel... 

Then I think about the hassles of setting up a reverse DNS lookup, running spam-filters and preventing relaying and how many more hackers come sniffing around an MX record than just about any other record... 

It sure would be nice to have a "name@wallofhate.com" e-mail account. 

But it is SOOOO much work running a mail server. 

https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/

 



[#] Mon Jan 18 2021 16:20:49 MST from TheDave

[Reply] [ReplyQuoted] [Headers] [Print]

 

Mon Jan 18 2021 15:25:28 MST from ParanoidDelusions

It sure would be nice to have a "name@wallofhate.com" e-mail account. 
 

LOL nope, do not want.  I get what you were going for but you couldn't pay me to use that as an email address.



[#] Mon Jan 18 2021 16:28:59 MST from ParanoidDelusions

[Reply] [ReplyQuoted] [Headers] [Print]

I don't know why people are so afraid of this domain. 4 years ago, people would have gotten it. "Facebook" vs. "WallofHate".

Now everyone is terrified of hate, even though they're all full of it. Fucking responsible for it.

It is one of those insidious ways you can see how the atmosphere of mass hysteria has fucked society up, actually.

"Why is your domain Wallofhate?"

"Because I hate cancer and war and social inequity and..."


"Oooooh! Oooooh! I thought you might be a RACIST!"

"No... but I do fucking hate STUPID people, no matter what color they are, too..."

Hate is a fine emotion. We need more directed hate, and we need to embrace that hate, like greed, can be good for society.

 

 

Mon Jan 18 2021 16:20:49 MST from TheDave

 

Mon Jan 18 2021 15:25:28 MST from ParanoidDelusions

It sure would be nice to have a "name@wallofhate.com" e-mail account. 
 

LOL nope, do not want.  I get what you were going for but you couldn't pay me to use that as an email address.



 



[#] Tue Jan 19 2021 22:03:36 MST from TheDave

[Reply] [ReplyQuoted] [Headers] [Print]

 

Mon Jan 18 2021 16:28:59 MST from ParanoidDelusions

I don't know why people are so afraid of this domain. 4 years ago, people would have gotten it. "Facebook" vs. "WallofHate".

Now everyone is terrified of hate, even though they're all full of it. Fucking responsible for it.

It is one of those insidious ways you can see how the atmosphere of mass hysteria has fucked society up, actually.

"Why is your domain Wallofhate?"

"Because I hate cancer and war and social inequity and..."


"Oooooh! Oooooh! I thought you might be a RACIST!"

"No... but I do fucking hate STUPID people, no matter what color they are, too..."

Hate is a fine emotion. We need more directed hate, and we need to embrace that hate, like greed, can be good for society.

 

 

Mon Jan 18 2021 16:20:49 MST from TheDave

 

Mon Jan 18 2021 15:25:28 MST from ParanoidDelusions

It sure would be nice to have a "name@wallofhate.com" e-mail account. 
 

LOL nope, do not want.  I get what you were going for but you couldn't pay me to use that as an email address.



 



 

Yeah, it's just not worth chewing through the straps some mornings.  I'm also not going to use Dave@ItsOKtoBeWhite.com lol