|
OSI bean dip posted:If someone wants to write a sane guide to setting up a Raspberry Pi to allow for remote access, please do. I'm interested in doing this with my Pi. Could you elaborate on why guides that are out there aren't sane?
|
#
?
Feb 4, 2017 02:52
|
|
|
|
| # ? May 18, 2024 00:05 |
|
|
Kassad posted:That's just what the permission would let it do. It doesn't mean it's actually doing that. It'd be very obvious if it did since the source code is up on Github. As long as the binary is compiled from unmodified code.
|
|
#
?
Feb 4, 2017 03:53
|
|
|
hooah posted:I'm interested in doing this with my Pi. Could you elaborate on why guides that are out there aren't sane? suggests using a 1024-bit RSA key in 2014 tells you to curl a uri and pipe it into your shell There are probably others that tell you to disable SELinux, but I don't even think it's enabled by default on Raspbian.
|
|
#
?
Feb 4, 2017 04:00
|
|
|
flosofl posted:Thanks, these replies all make sense to me. I haven't really looked into the extension framework for Safari. Echoing flosofl's thanks for all the replies, which have cleared things up for me. I don't have the time to look into extension frameworks myself, so it's great to hear from some people with domain knowledge.
|
|
#
?
Feb 4, 2017 05:00
|
|
|
BobHoward posted:Echoing flosofl's thanks for all the replies, which have cleared things up for me. I don't have the time to look into extension frameworks myself, so it's great to hear from some people with domain knowledge. Dunno. I abandoned browser adblockers for a Pihole install running on a Debian lappy here. Gives me a lot more control over adblocking, as well as the ability to use curated lists of malware domains, plus the ability to use it LAN-wide with a single point of management.
|
|
#
?
Feb 4, 2017 06:41
|
|
|
Subjunctive posted:As long as the binary is compiled from unmodified code. And anybody bothered to look at the source in the first place.
|
|
#
?
Feb 4, 2017 06:53
|
|
|
anthonypants posted:The first two hits for me on google for "rpi openvpn" are: Those easy-rsa scripts had terrible defaults for the longest time. IIRC they fixed it and use 2k as a default now but a lot of openvpn keys were generated using those scripts by people not really knowing what they were doing so there must be a lot of openvpn instances out there still using 1k keys.
|
|
#
?
Feb 4, 2017 09:55
|
|
|
What do I tell people who ask about putting tape over their webcams? I'd think if they're at the point where they feel they need to they probably will just do it anyway.
|
|
#
?
Feb 9, 2017 19:34
|
|
|
Just let them do it, it doesn't hurt anything.
|
|
#
?
Feb 9, 2017 19:40
|
|
|
Don't use clear tape
|
|
#
?
Feb 9, 2017 19:45
|
|
|
DanAdamKOF posted:What do I tell people who ask about putting tape over their webcams? I'd think if they're at the point where they feel they need to they probably will just do it anyway. I do it but only because I typically hate cameras pointed directly at me. There is no harm in doing it.
|
|
#
?
Feb 9, 2017 20:02
|
|
|
Don't mention microphones, either.
|
|
#
?
Feb 9, 2017 21:43
|
|
|
Evidently I was "hacked" again.  These Netherlands logins weren't me. How could someone get into my gmail account like this? I have 2 factor auth on, with authenticator or SMS. I can't login on any device without having to do these steps. And of course I never got any notification. Is google authenticator not secure? I have a very strong randomly generated 64 digit password too. I'm no tech expert but there has to be something fishy going on here. This is also the gmail account I have chrome logged in with. Luckily its just a throwaway account. But what could be going on I wonder.
|
|
#
?
Feb 16, 2017 05:29
|
|
|
African AIDS cum posted:Evidently I was "hacked" again. Did you ever set up a Dutch VPN in Firefox? That was popular a few years back (when Firefox 40 was current) for free NFL streams.
|
|
#
?
Feb 16, 2017 05:42
|
|
|
African AIDS cum posted:Evidently I was "hacked" again. Did you lose an Android device?
|
|
#
?
Feb 16, 2017 06:26
|
|
|
Space Gopher posted:Did you ever set up a Dutch VPN in Firefox? That was popular a few years back (when Firefox 40 was current) for free NFL streams. Yes I did use one a few years ago, but I haven't used firefox in forever, and didn't back then, also it was on a completely different computer This shows up under recent devices in google,  The firefox one definitely isn't me, but it is the same computer name of my PC, so is the Netherlands login spoofing my pc somehow? Nobody has access to this PC but me and I have a fresh install of windows 10 Samizdata posted:Did you lose an Android device? Nope, have never owned one
|
|
#
?
Feb 16, 2017 06:28
|
|
|
https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/ Hmm
|
|
#
?
Feb 24, 2017 06:58
|
|
|
African AIDS cum posted:https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/ Change your passwords on any site that uses Cloudflare--that includes Something Awful.
|
|
#
?
Feb 24, 2017 07:00
|
|
|
So, no one is actually going to do the research and find the actual disclosure from Project Zero? I love El Reg as much as the next chap, but they can get a little over dramatic at times.
|
|
#
?
Feb 24, 2017 08:17
|
|
|
OSI bean dip posted:Change your passwords on any site that uses Cloudflare--that includes Something Awful. Yeah I have been. Do you think someone could have accessed my Gmail/Amazon this way or through something similar? They did have unique passwords.
|
|
#
?
Feb 24, 2017 08:20
|
|
|
African AIDS cum posted:Yeah I have been. Do you think someone could have accessed my Gmail/Amazon this way or through something similar? They did have unique passwords.
|
|
#
?
Feb 24, 2017 08:36
|
|
|
How often do people here change passwords for sensitive sites and data? KeePass has the option of setting an expiry time for a password. Depending on the sensitivity of the data the password is protecting, I set expiry times of varying lengths. For my most sensitive information (e.g., banking sites), I change my passwords every week. For somewhat less sensitive, but still important stuff (email, dropbox), I change passwords every month. Things like forums account passwords and Amazon get changed every 3 months. I change my KeePass master password every month. My WPA2 and router passwords also get changed every month. I use 2FA on everything I can. Realistically, I know that a properly generated, high entropy password on an otherwise secure system can't be cracked in my lifetime via known methods, so I wonder if I'm being silly by changing my passwords so often. Then, breaches like this Cloudflare situation pop up, and I wonder how many similar breaches occur without ever being noticed or reported; maybe my paranoia is justified? Changing passwords this often requires maybe 20 minutes per week of my time at most, so I don't think I'm that crazy, but I do sometimes wonder if it's a waste of time and energy.
|
|
#
?
Feb 24, 2017 09:15
|
|
|
Clint Howard posted:How often do people here change passwords for sensitive sites and data? KeePass has the option of setting an expiry time for a password. Depending on the sensitivity of the data the password is protecting, I set expiry times of varying lengths. For my most sensitive information (e.g., banking sites), I change my passwords every week. For somewhat less sensitive, but still important stuff (email, dropbox), I change passwords every month. Things like forums account passwords and Amazon get changed every 3 months. I change my KeePass master password every month. My WPA2 and router passwords also get changed every month. I use 2FA on everything I can. This is from a study by Google a few years ago:  The reason non-experts change their passwords so often is because, well, if people use bad passwords to start with AND they reuse passwords, and you can't get them to change that behaviour, telling them to change passwords every so often is the only option left. For experts who don't reuse passwords and have randomly generated passwords of sufficient strength only, changing them is really never necessary unless you find evidence of someone having gotten access to your account. See, now there's a good reason to change passwords on sites that use Cloudflare, but other than stuff like that? Complete waste of your time. Seriously, 20 minutes EVERY WEEK on something that's hardly ever necessary? Oh and to any sysadmins at companies - please don't force people to change passwords every so often. It'll just cause them to increment a number at the end of a password, and it'll cause them to choose simpler passwords because they'll have to learn a new one every time. Forcing people to change passwords regularly is a terrible security practice.
|
|
#
?
Feb 24, 2017 23:45
|
|
|
Clint Howard posted:How often do people here change passwords for sensitive sites and data? KeePass has the option of setting an expiry time for a password. Depending on the sensitivity of the data the password is protecting, I set expiry times of varying lengths. For my most sensitive information (e.g., banking sites), I change my passwords every week. For somewhat less sensitive, but still important stuff (email, dropbox), I change passwords every month. Things like forums account passwords and Amazon get changed every 3 months. I change my KeePass master password every month. My WPA2 and router passwords also get changed every month. I use 2FA on everything I can. Use 2FA.
|
|
#
?
Feb 24, 2017 23:46
|
|
|
Carbon dioxide posted:The reason non-experts change their passwords so often is because, well, if people use bad passwords to start with AND they reuse passwords, and you can't get them to change that behaviour, telling them to change passwords every so often is the only option left. I've sometimes thought that the only solution to password reuse would be to use required patterns in the password. When you go to change the password the page would tell you that the characters 4-6 in your new password must be "hEo", choose whatever you want for the rest. But it would require large portion of sites to use random patterns to make reuse impractical.
|
|
#
?
Feb 25, 2017 01:27
|
|
|
RFC2324 posted:Use 2FA. This is the only real answer.
|
|
#
?
Feb 25, 2017 01:36
|
|
|
Clint Howard posted:How often do people here change passwords for sensitive sites and data? KeePass has the option of setting an expiry time for a password. Depending on the sensitivity of the data the password is protecting, I set expiry times of varying lengths. For my most sensitive information (e.g., banking sites), I change my passwords every week. For somewhat less sensitive, but still important stuff (email, dropbox), I change passwords every month. Things like forums account passwords and Amazon get changed every 3 months. I change my KeePass master password every month. My WPA2 and router passwords also get changed every month. I use 2FA on everything I can. The only virtue in changing passwords, is so the password in any given dump-made-public isn't your current password. Most of these that hit the web broadly tend to be months to years old. Even rarer are they plaintext, high entropy passwords aren't going to be reversed quickly if ever. It's kinda up to you whether you think its a waste of time or not? As for keypass, rotating that password achieves nothing. If someone was attacking the vault they'd presumably already have their own copy of your kbbx and changing the password to your version doesn't alter theirs. Bruteforcing keepass/WPA2 just isn't feasible. It's not "probably not in my lifetime" but rather "certainly not in the lifetime of the Sun". Worry less about rotating passwords weekly and instead activate 2FA, and especially secure keepass with a Yubikey or similar.
|
|
#
?
Feb 25, 2017 03:28
|
|
|
Saukkis posted:I've sometimes thought that the only solution to password reuse would be to use required patterns in the password. When you go to change the password the page would tell you that the characters 4-6 in your new password must be "hEo", choose whatever you want for the rest. But it would require large portion of sites to use random patterns to make reuse impractical. Some sites do this. I proposed it at Facebook, but the other mitigations in place were deemed strong enough that the user friction wasn't worth it.
|
|
#
?
Feb 25, 2017 04:54
|
|
|
What the absolute gently caress, Adobe? I can't save documents in Adobe Acrobat Reader DC without triggering EMET's Caller mitigation and crashing the program. How do you gently caress that up??
|
|
#
?
Mar 7, 2017 03:40
|
|
|
Cup Runneth Over posted:What the absolute gently caress, Adobe? I can't save documents in Adobe Acrobat Reader DC without triggering EMET's Caller mitigation and crashing the program. How do you gently caress that up?? More often than not it's the AV that's hosed up but we are talking about Adobe here soooo
|
|
#
?
Mar 7, 2017 10:51
|
|
|
EMET isn't an AV.
|
|
#
?
Mar 7, 2017 11:00
|
|
|
Cup Runneth Over posted:EMET isn't an AV. Lol yes you are correct. For some reason I read EMET as ESET...
|
|
#
?
Mar 7, 2017 11:50
|
|
|
Removed.
Downs Duck fucked around with this message at 20:32 on Mar 7, 2017 |
|
#
?
Mar 7, 2017 19:21
|
|
|
You have too much going on here and should consider maybe simplifying your approach. I opted to break apart your post here into simple replies. That said, I don't believe that you read much of the OP. quote:I'm looking for some Beginner's Home/Private OPSEC Tips and wondered if someone could help me with some best practices/programs? I'd like the "paranoid" comments to be at an absolute minimum, please. I'm trying to learn here, so bear with me. I'm a regular guy that just wants to avoid being hosed over by some script kiddie just because I pissed him off at some random forum or didn't lock my "house" properly. I'm gonna be honest about what I've done, and I know something if not everything have been stupid. I'm trying to rectify that now. quote:I ditched FB maybe 5-6 years ago, can't remember. Didn't post much, if anything. I signed up for LinkedIn and became too liberal in posting stuff there for my resume, thinking it would help me get a job. It didn't so I've already taken some steps to rectify that; it now only has an anonymous picture and a brief summary of my skills. I am thinking of just ditching it altogether and create a new, anonymous profile. quote:I am currently in the process of checking every site I've used LastPass on, like job sites and similar, removing my info or obscuring my info on all of them. Assume a new online identity and don't engage with people you think are out to gently caress you over. Don't reveal who you are to others and then you don't have to go and edit every single website you're on. This is only needed if you are really concerned about painting a target on your back. Once it's on the Internet, it's out there for everyone to digest. You can do your best to have Google remove it or whatever, but really there is a point where starting fresh is better. quote:Currently doing a 30 day Kaspersky trail, and a 5 day Freedome VPN trail to check it out, been only using WIndows Defender and no VPN/TOR before that. Looking into some free alternatives before I land on paying for one. Read the OP about anti-virus. You claimed to have read it already but since you're asking about anti-virus it is apparent that you haven't. Also why do you need to use a VPN? Are you using it at home or are you using it when you're out and about? quote:Thinking of using VeraCrypt to encrypt all drives, but am a bit nervous I will gently caress it up and ot get back my data. Thinking of maybe just encrypt disk 1 and 2, and let the 3rd one be unencrypted just so I don't lose all my data by accident. Again, read the OP about disk encryption. There is nothing wrong in encrypting all of your disks provided that you can maintain access to them. quote:Thinking of writing any and all passwords in a physical notebook. This is not as bad as people might think. Stop using LastPass by the way. quote:Router is setup with a non-default username and password, same with SSID. I've looked into some of the aircrack -ng tools and know people could sniff out and spoof MAC listed devices, but thinking of doing it anyway. Are you concerned about people breaking your wireless network? If you're really concerned, use ethernet everywhere. quote:Looking into secure browsers, been using Chrome for a while. Not sure if the standard Firefox is my best bet, been looking into Iridium and White Hat Aviator, just something I can lock down as default and open up if/when some page tells me to. Very open to suggestions from you here. Just use Firefox or Chrome. quote:I have an Android phone, a Samsung Galaxy A3 that I want to root. I have the wifi and bluetooth turned off whenever I don't specifically need them, but don't trust it anymore. Been looking into rooting it with Odin or something or maybe buying a burner phone or at least using an old Nokia that I have. Phones are a different beast. If you're concerned then use some GSM device that has no real features. quote:Most of all I want SIMPLE, because I don't give a poo poo about most social media or sharing whatever I eat and do throughout the day. Read the OP and make decisions for yourself. Please avoid making another giant wall of text that is effectively teflon for eyes if you choose to reply again. Lain Iwakura fucked around with this message at 19:50 on Mar 7, 2017 |
|
#
?
Mar 7, 2017 19:43
|
|
|
OSI bean dip posted:words Thank you for your answer, I'll get back to reading the OP and will delete the wall of text after, so it doesn't clutter the thread. EDIT: I copied your answer, so you can delete your post to me if you feel it's taking up too much space. Thanks again. Downs Duck fucked around with this message at 20:41 on Mar 7, 2017 |
|
#
?
Mar 7, 2017 20:30
|
|
|
spankmeister posted:Those easy-rsa scripts had terrible defaults for the longest time. on that same note if you rolled your own ovpn server it's worth checking the logs to see if you are using a cipher that is affected by SWEET32 - ovpn calls it out in the connection logs now and some of the older versions had some horrendous defaults for ciphers
|
|
#
?
Mar 11, 2017 16:36
|
|
|
Mad Wack posted:on that same note if you rolled your own ovpn server it's worth checking the logs to see if you are using a cipher that is affected by SWEET32 - ovpn calls it out in the connection logs now and some of the older versions had some horrendous defaults for ciphers
|
|
#
?
Mar 11, 2017 17:21
|
|
|
Mad Wack posted:on that same note if you rolled your own ovpn server it's worth checking the logs to see if you are using a cipher that is affected by SWEET32 - ovpn calls it out in the connection logs now and some of the older versions had some horrendous defaults for ciphers
|
|
#
?
Mar 11, 2017 17:33
|
|
|
Forgall posted:Does this affect brypt in any way, since it's based on Blowfish? No.
|
|
#
?
Mar 11, 2017 17:36
|
|
|
|
| # ? May 18, 2024 00:05 |
|
|
I'm turning in a laptop to work on my last day, and using Cipher to wipe things I've deleted. Before I went to bed, I used cipher /w:c:users - and it wasn't done like 7 hours later, but users directory isn't that big, so does Cipher wipe the entire drive regardless?
|
|
#
?
Mar 15, 2017 12:05
|
|
