|
If all you want is to avoid in-line ads you can just build a couple of Pis Hole and point whatever your DHCP server is at them. You should also use them because, like: defense-in-depth only it's ads?
|
#
?
Aug 29, 2019 01:06
|
|
|
|
| # ? May 24, 2024 22:47 |
|
|
Schadenboner posted:If all you want is to avoid in-line ads you can just build a couple of Pis Hole and point whatever your DHCP server is at them. Ads these days portscan your computer from your browser and all sorts of stupid bullshit to "prevent ad click fraud" by persistently fingerprinting you, using WebRTC to get your local LAN subnets then scanning your entire LAN subnet
|
|
#
?
Aug 29, 2019 02:43
|
|
|
Biowarfare posted:Ads these days portscan your computer from your browser and all sorts of stupid bullshit to "prevent ad click fraud" by persistently fingerprinting you, using WebRTC to get your local LAN subnets then scanning your entire LAN subnet Do you have a source for ads doing this please? Aware of scanning with WebRTC in general but haven't heard of it being used for that
|
|
#
?
Aug 29, 2019 04:19
|
|
|
Biowarfare posted:Ads these days portscan your computer from your browser and all sorts of stupid bullshit to "prevent ad click fraud" by persistently fingerprinting you, using WebRTC to get your local LAN subnets then scanning your entire LAN subnet what
|
|
#
?
Aug 29, 2019 04:24
|
|
|
apseudonym posted:what quote:First, large scale blocking of cookies undermine people’s privacy by encouraging opaque techniques such as fingerprinting. With fingerprinting, developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.
|
|
#
?
Aug 29, 2019 04:45
|
|
|
I know what fingerprint is. I'm specifically "what"ing the port scan claim.
|
|
#
?
Aug 29, 2019 04:56
|
|
|
It's probably a reference to this stuff? https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-local-IP-address https://www.w3.org/wiki/Privacy/IPAddresses#Mechanism_whereby_the_local_IP_Address_is_exposed
|
|
#
?
Aug 29, 2019 07:19
|
|
|
apseudonym posted:I know what fingerprint is. I'm specifically "what"ing the port scan claim. I've run into more than a few ads, unsure what chain of ad networks they were supplied through (they originally loaded via adsense) that load a path /fp/check.js (from intentionally-attempting-to-bypass-adblock randomly generated hostnames or first-party CNAMEd hostnames). Someone has posted an old unobfuscated version of it at https://pastebin.com/raw/5wnVZHbK, see line 950 and 501. This file is usually re-obfuscated differently very frequently if not unique on each pageload. This shows up really blatantly in the console as it tries to (/fails) connect to ports to see if you're running remote desktop or some crap like that (so you're not just loading ads on a cloud VM or something). This runs in addition to the usual persistent fingerprinting.
|
|
#
?
Aug 29, 2019 07:20
|
|
|
Biowarfare posted:I've run into more than a few ads, unsure what chain of ad networks they were supplied through (they originally loaded via adsense) that load a path /fp/check.js (from intentionally-attempting-to-bypass-adblock randomly generated hostnames or first-party CNAMEd hostnames). I'm var bitchPlease
|
|
#
?
Aug 29, 2019 08:53
|
|
|
So there are no good VPN’s? If I just want to access stuff from another country is it actually a risk?
|
|
#
?
Aug 29, 2019 12:48
|
|
|
If you just want to access another country's Netflix, don't ask the security thread, ask the Netflix thread.
|
|
#
?
Aug 29, 2019 14:45
|
|
|
I use Mullvad VPN, all you need is to write down the automatically generated account number they give you and that's it. If paying with crypto isn't enough tinfoil hat, you can post them cash in an envelope.
|
|
#
?
Aug 29, 2019 16:37
|
|
|
duz posted:If you just want to access another country's Netflix, don't ask the security thread, ask the Netflix thread. That is really it. The idea that you're going to use a third-party VPN to add an extra layer of security is really silly. If you're looking for a service that'll get you access to Netflix in some other country or to get around YouTube's copyright blocks, that is another thing all together. If you need your own VPN for security reasons, set up OpenVPN, Algo, or something else.
|
|
#
?
Aug 29, 2019 18:13
|
|
|
Is anybody familiar with CISCO AMP/McAfee Suite? One of my clients feels that these are sufficient countermeasures for not conducting endpoint vulnerability scanning. I disagree since I don't think that they can capture misconfigurations, malware from zero days, etc. but I haven't worked with AMP/McAfee suite since many many years ago so who knows what updates they have made.
|
|
#
?
Aug 29, 2019 18:53
|
|
|
fyallm posted:Is anybody familiar with CISCO AMP/McAfee Suite? One of my clients feels that these are sufficient countermeasures for not conducting endpoint vulnerability scanning. I disagree since I don't think that they can capture misconfigurations, malware from zero days, etc. but I haven't worked with AMP/McAfee suite since many many years ago so who knows what updates they have made. Years ago I had AMP demo'd to me and found it to be inadequate unless you're in the business of having something that'll make noise and do nothing. Every time I hear that some vendor has a way to track "zero day malware", my eyes immediately start to roll back so far into my skull that I know it's straining my optic nerve. All endpoint software is trash really so it's really picking your poison if you have someone or you are someone who wants to go this route rather than rely on what comes with Windows to begin with.
|
|
#
?
Aug 29, 2019 19:19
|
|
|
Dead Goon posted:I use Mullvad VPN, all you need is to write down the automatically generated account number they give you and that's it. If paying with crypto isn't enough tinfoil hat, you can post them cash in an envelope. Seconding this recommendation; I've been using them for over a year. They're based in Sweden, they appear to be ideological privacy purists, they get everything right technically that I could ask for, and I don't get a single scammy vibe off them at all. Check their review at that one privacy site: https://thatoneprivacysite.net/blog/mullvad-review/
|
|
#
?
Aug 29, 2019 19:24
|
|
|
Holy gently caress, lots of interesting replies... I love my ISP, but the infrastructure is provided by AT&T, and for that very reason my ISP gives us a VPN. Is the CyberSec feature on NordVPN bullshit as well? I'm not going for crazy anonymity or deep web illegal poo poo, I'd just like an extra layer of security, in addition to my password safe, 2FA, etc (but I guess I should just use my default ISP instead of a VPN because using a VPN for an extra layer of security is dumb too??  ). I'd also like to watch my country-restricted shows on my Netflix/Hulu/etc accounts. Torrents are rarely done these days. Like I said before, I'll probably build a dedicated server in the future for Algo, but for now, is there any remotely okay commercial VPN? I mean, what commercial VPNs do y'all use (besides NordVPN and Mullvad)?Thank you all for the responses, helps a lot! 
|
|
#
?
Aug 29, 2019 19:53
|
|
|
pliable posted:I love my ISP, but the infrastructure is provided by AT&T, and for that very reason my ISP gives us a VPN. Is the CyberSec feature on NordVPN bullshit as well? I'm not going for crazy anonymity or deep web illegal poo poo, I'd just like an extra layer of security, in addition to my password safe, 2FA, etc (but I guess I should just use my default ISP instead of a VPN because using a VPN for an extra layer of security is dumb too?? A VPN as an extra layer of security for connecting to the internet, for a home user, is worthless. Nobody is attacking you by tracing your IPs and doing movie cyber hacks where a green line bounces back and forth across a wireframe globe. If you hit by attacks it'll be through a malicious ad on a webpage or something like that, for which a VPN is zero help. Your PC wanted to load that webpage, the bad ad came down the pipe with everything else. Or you'll be attacked by botnet worms which target your local connection and go "around" the VPN. (It would be possible to close all connections other than the VPN, but that's awkward and doesn't really give you any better security than a well-configured firewall.) A VPN as a secure connection to your home from elsewhere does have value, but that's not what NordVPN is. That's what OpenVPN and Algo that Lain was recommending are. If you're outside your home these types of VPNs, which you run from your own machine or router, are a secure locked door that you can open to get inside your home network from elsewhere.
|
|
#
?
Aug 29, 2019 20:29
|
|
|
pliable posted:Holy gently caress, lots of interesting replies... As with everything, security is a matter of what you're defending against. Mosquito netting will do nothing to stop a grizzly bear attack but that doesn't mean it's useless. A VPN will keep your ISP from seeing what sites you're visiting -- all they see is a bunch of encrypted traffic back and forth to the VPN server. Keeping your ISP in the dark can be a smart idea, especially now that it's perfectly legal in the USA for them to collect and sell your entire Internet history to anyone who wants it. Of course, now you're trusting your VPN provider with all of that information, so choose carefully. A VPN service also keeps the sites you visit from seeing your true originating IP. This can also be a smart idea since you never know who might be interested in that information. (And of course if what you're looking to do is torrent movies without worrying about getting sued by the MPAA, then this is the protection you need. You'll want to take steps to ensure your torrent client doesn't re-connect directly when the tunnel is down and give away your actual IP.) By itself, a VPN will do nothing to stop ad tracking, browser fingerprinting, malicious scripts, etc. That's not what it's for. And of course, some sites will treat traffic coming from a VPN endpoint as suspicious, and nodes sometimes end up on various blacklists due to asshats launching attacks through them. (In general that's not much of a problem, though. Tor exit nodes have that same problem but FAR worse.) Also, Netflix is in a constant arms race with VPN companies -- the people they license their content from don't want the viewers being all clever and getting around their geo-restrictions. These days I run most of my traffic through Mullvad, just out of a general-purpose low-grade paranoia of surveillance.
|
|
#
?
Aug 29, 2019 20:32
|
|
|
rolling your own VPN is also surprisingly easy and cheap. You can toss OpenVPN or IPSec on a cloud VM for a few bucks a month. If you don't have an AWS account you can run it entirely free for 12 months on their free tier. Here's a cloudformation template that'll do it all for you: https://github.com/UrsysC/Cloudformation-IPSec-VPN for ad blocking or the like, you can step up a pihole and then point your VPN's DNS server address at that. https://github.com/CloudEric/dnsvpn-cloudformation is another script that can set up both for you. The Iron Rose fucked around with this message at 20:48 on Aug 29, 2019 |
|
#
?
Aug 29, 2019 20:45
|
|
Cat Army 
|
I run OpenVPN on vultr.com's $2.50 server and it's great. Thinking about switching to Wireguard but I still don't like algo since it's a whole ansible stack and doesn't fit into my devops setup.
|
|
#
?
Aug 29, 2019 20:51
|
|
|
Klyith posted:Nobody is attacking you by tracing your IPs and doing movie cyber hacks where a green line bounces back and forth across a wireframe globe. uh, speak for yourself
|
|
#
?
Aug 29, 2019 20:53
|
|
|
CLAM DOWN posted:uh, speak for yourself Send Spike  E: Even smilies know that GreenPOS is BestPOS.
|
|
#
?
Aug 29, 2019 20:56
|
|
|
Cool beans, thanks for the info y'all, much appreciated
|
|
#
?
Aug 29, 2019 21:12
|
|
|
The Iron Rose posted:rolling your own VPN is also surprisingly easy and cheap. Very true, and I've done something similar myself at various times. The only real downside of rolling your own VPN on a cloud host is that you lose all ability to "get lost in the crowd": that cloud host is linked to you, and in fact ALL traffic that comes from it will be yours. Websites and advertisers will see its IP and be able to recognize you by it. And in a situation like I linked in my post above, where the government is attempting to get all the IPs that visited an anti-Trump protest website, a roll-your-own VPN would be very little protection since they'd just subpoena the VM host to find out whose VPS it is. If you had visited the site through a big VPN service, then good luck sorting out which of the thousands of customers is the one they want. It may not be impossible for a nation-state adversary to do some kind of analysis of recorded intercepted traffic and still find you, but I bet it wouldn't be easy.
|
|
#
?
Aug 29, 2019 21:15
|
|
|
If anyone wants a throwback, this is what what we used to use on SA back in 2000-ish to block ads. https://www.proxomitron.info/index.html It worked well and I used it to make websites less garbage by removing unnecessary content when I was still using dialup. I am sure it's littered with problems especially if the source-code were available to review.
|
|
#
?
Aug 29, 2019 21:21
|
|
|
Powered Descent posted:Very true, and I've done something similar myself at various times. The only real downside of rolling your own VPN on a cloud host is that you lose all ability to "get lost in the crowd": that cloud host is linked to you, and in fact ALL traffic that comes from it will be yours. Websites and advertisers will see its IP and be able to recognize you by it. Advertisers might be able to recognize it as an IP address within a known range of instance IP addresses- Netflix does this to block EC2 instances - but they certainly aren't able to tie that IP to your real world identity. If you don't have a static IP it'll be constantly changing anyways. And I'd be surprised if many other providers even went that far, it's an eclectic choice for VPNs. RandomAdDomain.com certainly won't be able to tie it to you. The rest of your post is a fantasy and not really worth engaging with.
|
|
#
?
Aug 29, 2019 21:26
|
|
|
The Iron Rose posted:Advertisers might be able to recognize it as an IP address within a known range of instance IP addresses- Netflix does this to block EC2 instances - but they certainly aren't able to tie that IP to your real world identity. If you don't have a static IP it'll be constantly changing anyways. And I'd be surprised if many other providers even went that far, it's an eclectic choice for VPNs. RandomAdDomain.com certainly won't be able to tie it to you. Basically all of the cloud compute providers give you semi-static addresses. As long as your vm is provisioned, your ip is the same unless you go out of your way to change it.
|
|
#
?
Aug 29, 2019 21:31
|
|
|
The Iron Rose posted:Advertisers might be able to recognize it as an IP address within a known range of instance IP addresses- Netflix does this to block EC2 instances - but they certainly aren't able to tie that IP to your real world identity. If you don't have a static IP it'll be constantly changing anyways. And I'd be surprised if many other providers even went that far, it's an eclectic choice for VPNs. RandomAdDomain.com certainly won't be able to tie it to you. Unless you happen to log in to Facebook or Google or Amazon or wherever else the advertisers happen to dispense their tracking cookies.
|
|
#
?
Aug 29, 2019 21:34
|
|
|
Powered Descent posted:Unless you happen to log in to Facebook or Google or Amazon or wherever else the advertisers happen to dispense their tracking cookies. Fair enough, but I don't see how a commercial VPN would change that?
|
|
#
?
Aug 29, 2019 21:41
|
|
|
The Iron Rose posted:Fair enough, but I don't see how a commercial VPN would change that? Traffic from many other people is also coming from that node. The correlation is no longer one-to-one, so they don't know that traffic from this IP is always you. (Besides, a big VPN service probably has hundreds of endpoints you might be connecting through. You could do the same thing for yourself and spin up hundreds of VPSes, but would you?)
|
|
#
?
Aug 29, 2019 21:52
|
|
|
Powered Descent posted:Traffic from many other people is also coming from that node. The correlation is no longer one-to-one, so they don't know that traffic from this IP is always you. (Besides, a big VPN service probably has hundreds of endpoints you might be connecting through. You could do the same thing for yourself and spin up hundreds of VPSes, but would you?) Only if you keep the same VM or use an elastic IP, but yes they can certainly tie traffic from that IP address a new set of browsing data. They can't get your real world identity from just an EC2 IP address though, which is all I'm trying to say. But you're right, the moment you do log into a service they can associate your real world identity with whatever IP address you choose, so fair enough. I misinterpreted what you were saying as "they can get your real world identity just from a cloud VM IP address" not "if you log into something that exposes your identity and you're the only one who uses this IP address, so they know it was you" which is I guess a distinction without a difference
|
|
#
?
Aug 29, 2019 22:01
|
|
|
I have a really stupid VPN use case, which is that my mobile carrier runs all web traffic (including non-port 80/443) through a lovely caching(?) web proxy that mangles headers, responses, half-breaks websockets and HTTP/2, breaks QUIC, and causes sites that only have modern TLS ciphers to fail the handshake (and get a connection reset) if I try to visit them. And sometimes images are compressed/return a different hash/files are modified. They refuse to change this or disable it.
|
|
#
?
Aug 29, 2019 22:49
|
|
|
the classic solution to that is throw the vpn on 53 and convince the carrier that you really really like dns sounds more like they're breaking traffic to inject their own ads/"support" mechanisms but that'd be the first check if they're trying to intentionally break the newer protocols then they won't be providing any data plans for much longer tbh
|
|
#
?
Aug 29, 2019 23:06
|
|
|
I don't think it's intentional, it's just some stupid web proxy in the middle that doesn't understand anything modern. It's AT&T. T-Mobile used to hijack DNS, including doing bullshit like static routing 8.8.8.8 to their own search page resolver, but I think they've stopped that. I have hotspots from every major carrier due to some dead zones/having internet on my commute in case of an oncall incident, and ATT injects request headers, a Via header, and all that bullshit. I asked someone a bit above a ATT CSR and they said everyone was subject to this and there was not an opt out. I don't recall seeing supercookie/ad injection though, thankfully.
|
|
#
?
Aug 29, 2019 23:14
|
|
|
Biowarfare posted:I have a really stupid VPN use case, which is that my mobile carrier runs all web traffic (including non-port 80/443) through a lovely caching(?) web proxy that mangles headers, responses, half-breaks websockets and HTTP/2, breaks QUIC, and causes sites that only have modern TLS ciphers to fail the handshake (and get a connection reset) if I try to visit them. And sometimes images are compressed/return a different hash/files are modified. They refuse to change this or disable it. Have a search around to see if your carrier runs a non-broken APN that you can use instead. I think there was a network here (O2 maybe) that would default everybody to an APN that compressed images into a blurred mess (this was in the EDGE days) and changing the APN made things work again.
|
|
#
?
Aug 29, 2019 23:28
|
|
|
fyallm posted:Is anybody familiar with CISCO AMP/McAfee Suite? One of my clients feels that these are sufficient countermeasures for not conducting endpoint vulnerability scanning. I disagree since I don't think that they can capture misconfigurations, malware from zero days, etc. but I haven't worked with AMP/McAfee suite since many many years ago so who knows what updates they have made. Those products are crap. Greenbone is free for vuln scanning. There is zero excuse for not doing it.
|
|
#
?
Aug 30, 2019 01:45
|
|
|
I'm a fan of algo by trail of bits: https://github.com/trailofbits/algo/ I have a VPN in EC2 (used to be a VM on my home network but comcast is poo poo) that costs $2.50 a month via lightsail, and my ipad and iphone have connect-on-demand profiles that keep them always connected when I'm not on my home wifi.
|
|
#
?
Aug 30, 2019 19:16
|
|
|
Clearly the only reliable method of security is carrier pigeons.
|
|
#
?
Aug 30, 2019 19:24
|
|
|
|
| # ? May 24, 2024 22:47 |
|
|
I have views of VPNs but I will come off as a paranoid schizo referencing post-WW2 treaties...
|
|
#
?
Aug 30, 2019 19:39
|
|
