|
Combat Pretzel posted:My gripe is more that the US is throwing around political threats in the general direction of other sovereign entities (e.g. Europe), for daring to continue to consider Huawei equipment, while these assholes themselves are undermining our territory with their own spying bullshit. Oh no, I did not mean in no way that the US has clean hands, especially given the recent crypto scandal.
|
#
?
Feb 20, 2020 17:54
|
|
|
|
| # ? Jun 9, 2024 12:47 |
|
|
Bonzo posted:https://www.humblebundle.com/books/...iley_bookbundle
|
|
#
?
Feb 20, 2020 17:56
|
|
|
Yeah thats a good bundle.
|
|
#
?
Feb 20, 2020 17:56
|
|
|
Related, the 3rd edition of Security Engineering is online and free until he actually finishes it. https://www.cl.cam.ac.uk/~rja14/book.html
|
|
#
?
Feb 20, 2020 19:21
|
|
|
22 Eargesplitten posted:That reminds me, Algo's GitHub says "Does not claim to provide anonymity or censorship avoidance," why is that? Because your name is presumably going to be attached to the endpoint? Or is it just a CYA / statement that if the Mossad wants to steal your fansubs of the newest Magical Girl anime they will?
|
|
#
?
Feb 20, 2020 19:43
|
|
|
Wiggly Wayne DDS posted:ya p solid set of classics in there, the essentials haven't changed much but worth keeping the age of the material in mind What's the required knowledge level to be able to understand those books? I've basically been bouncing around the junior IT generalist level for a few years now.
|
|
#
?
Feb 20, 2020 19:46
|
|
|
22 Eargesplitten posted:What's the required knowledge level to be able to understand those books? I've basically been bouncing around the junior IT generalist level for a few years now. even if you want to stay a generalist having a solid ground of the fundamental concepts in the specific fields is p useful for staying up to date. as i mentioned the books are p old but the systems are still in use and you have to start somewhere
|
|
#
?
Feb 20, 2020 20:08
|
|
|
Finally a proper use for a VPN, other than Netflix et al. My ISP and a peering partner hosed up, broke things and even after fixing it, it took hours for routes to propagate properly. Parts of the Internet weren't reachable. Tunneling to a server that was reachable let me continue to operate just fine.
|
|
#
?
Mar 3, 2020 16:32
|
|
|
Central IT sent a university-wide nastygram because someone's emotet-infected laptop was apparently roaming across campus and our network provider was seeing traffic to known C&C addresses at the edge. 
|
|
#
?
Mar 3, 2020 18:10
|
|
|
Antigravitas posted:Central IT sent a university-wide nastygram because someone's emotet-infected laptop was apparently roaming across campus and our network provider was seeing traffic to known C&C addresses at the edge.
|
|
#
?
Mar 4, 2020 13:57
|
|
|
You mean no one is patching the 9,000 linux servers running various equipment from 1991 in half the labs on campus? Up until like 2006 all computers on the networks at the uni I worked at had public IPs. Good times.
|
|
#
?
Mar 4, 2020 15:14
|
|
|
Martytoof posted:You mean no one is patching the 9,000 linux servers running various equipment from 1991 in half the labs on campus? I vaguely remember this about my alma mater circa 2000. Plug into the jack in your dorm room and bam, your Windows XP machine with file and printer sharing on by default and no firewall is naked on the public internet, lmao. It's not even a particularly large or noteworthy school and checking ARIN they still have multiple public /16's plus misc other subnets allocated.
|
|
#
?
Mar 4, 2020 15:39
|
|
|
Yeah, we had a /16 too. I wish I could have gotten in on the ARIN allocations when the getting was good 
|
|
#
?
Mar 4, 2020 15:45
|
|
|
Martytoof posted:Up until like 2006 all computers on the networks at the uni I worked at had public IPs. We have multiple /16's and everything that isn't a printer is on it. There appears to be 0 desire at central IT services to change this. Mitigation plans for computers still on Win 7 recently were "put it on the private IP space" but besides an IPAM system there is literally no visibility into what has been stuck there. My particular unit is trying to change that for our networks but the rest of the university is just doing uh....nothing? 
Sirotan fucked around with this message at 16:12 on Mar 4, 2020 |
|
#
?
Mar 4, 2020 16:10
|
|
|
Being on public IPs is perfectly fine. It was how the Internet was designed, it's not our fault everyone else is doing it wrong. gently caress NAT and the people who want it. You can pry our AS from our cold dead hands. What isn't fine is that there is literally no way to force people to care after their poo poo. None. Null. Nischt. The people upstairs (who, ironically, don't have much going on upstairs, iygwim) have shown complete apathy to the issue and are more invested in trying to find ways to leak PII as much as possible and use every incompatible Adobe Acrobat feature they can find. Everything is so fragmented that individual institutes are fending for themselves. Some institutes are tiny and simply don't have admins, so they are being run by students who are CLUELESS BEYOND BELIEF and what little knowledge they manage to scrape together vanishes as soon as they go.
|
|
#
?
Mar 4, 2020 16:24
|
|
|
Docjowles posted:I vaguely remember this about my alma mater circa 2000. Plug into the jack in your dorm room and bam, your Windows XP machine with file and printer sharing on by default and no firewall is naked on the public internet, lmao. Antigravitas posted:Being on public IPs is perfectly fine. It was how the Internet was designed, it's not our fault everyone else is doing it wrong. gently caress NAT and the people who want it. You can pry our AS from our cold dead hands. wolrah fucked around with this message at 16:47 on Mar 4, 2020 |
|
#
?
Mar 4, 2020 16:45
|
|
|
The local University here also uses public IP space for each of the departments. Within the department is a private network and within the campus datacenter there is a private network, but all space between them is 100% public. Also each department has their entirely own network complete with different IT staff and what I will hazard to call "architecture".
|
|
#
?
Mar 4, 2020 16:56
|
|
|
That was also a fun realisation, that other institutes WEREN'T dropping inbound connections by default. At some informal meeting someone was asking how everyone was dealing with ssh login attempts in their network, and whether everyone was downloading lists of IP addresses to add to ipfilter. And apparently the Windows clients have RDP enabled (for easy management of course). Everyone involved acted like it was totally normal to have every device reachable from the outside. I felt like I was being gaslit for an hour… 
|
|
#
?
Mar 4, 2020 17:11
|
|
|
Antigravitas posted:Being on public IPs is perfectly fine. It was how the Internet was designed, it's not our fault everyone else is doing it wrong. gently caress NAT and the people who want it. You can pry our AS from our cold dead hands. It's pretty drat impressive that more people in your position don't flip and exploit the network for cryptocurrency after hours.
|
|
#
?
Mar 4, 2020 20:34
|
|
|
I always wonder whether that'll get noticed. Back during the Bitcoin craze before the 20K USD peak, a friend of mine was toying with the idea of hiding an ASIC or two under the workbench of the workshop floor he's employed at. Those things were rated at 1300W per unit, resulting in more than 11MW per ASIC per year. I mean, it's a workshop with some medium sized machinery, but 11-22MW still.
|
|
#
?
Mar 4, 2020 20:42
|
|
|
Docjowles posted:checking ARIN they still have multiple public /16's plus misc other subnets allocated. Antigravitas posted:That was also a fun realisation, that other institutes WEREN'T dropping inbound connections by default.
|
|
#
?
Mar 4, 2020 21:18
|
|
|
Potato Salad posted:It's pretty drat impressive that more people in your position don't flip and exploit the network for cryptocurrency after hours. That's typically masters students using juiced up rigs bought with grant money with absent paren^Wprofessors. If I were to do something like that, legality, ethics, and professional honour aside, I'd have to see some pretty drat good returns to offset the risk. That's definitely something I'd get fired for, and getting fired takes actual effort here. And if someone were to do it on our systems they'd get found out quick. We collect performance metrics of all boxen managed by us and we know what a normal load curve looks like during a normal day.
|
|
#
?
Mar 4, 2020 21:23
|
|
|
https://twitter.com/cosminim/status/1235692870050254850?s=20 Tmobile and Virgin Media both got hit. And by "Hit" I mean exposed database. CommieGIR fucked around with this message at 23:33 on Mar 5, 2020 |
|
#
?
Mar 5, 2020 23:30
|
|
|
Martytoof posted:You mean no one is patching the 9,000 linux servers running various equipment from 1991 in half the labs on campus? running everything on public IP space owns. NATs aren't good security boundaries and just make poo poo harder to track down. there's a reason why ipv6 intends to do away with the practice Antigravitas posted:Being on public IPs is perfectly fine. It was how the Internet was designed, it's not our fault everyone else is doing it wrong. gently caress NAT and the people who want it. You can pry our AS from our cold dead hands.
|
|
#
?
Mar 6, 2020 13:17
|
|
|
I mean, in theory I can't disagree and I certainly won't pick this as a hill to die on, but to be clear I'm talking about "running off public IPs" as in the "this network port here just routes in and out of the internet with no firewall port filtering" kind of "running off public IPs". Given that virtually no one practices good hygiene, the scenario of everyone running off public IP space as was designed, you may as well be talking about a world where we have no concept of money and just go to work for spiritual fulfilment; They're both equally attainable 
|
|
#
?
Mar 6, 2020 13:34
|
|
|
NAT isn't a security boundary, at all. Also, just because you have public IPs on all machines doesn't mean you can't have a central firewall.
|
|
#
?
Mar 6, 2020 15:35
|
|
|
D. Ebdrup posted:NAT isn't a security boundary, at all. Why not? It's functionally the same as a boundary firewall that blocks everything by default, and can only have one rule per port open.
|
|
#
?
Mar 6, 2020 17:15
|
|
|
NAT, like VLANs, is not designed from the ground up as a security feature, but it certainly can provide security controls.
|
|
#
?
Mar 6, 2020 18:07
|
|
|
peak debt posted:Why not? It's functionally the same as a boundary firewall that blocks everything by default, and can only have one rule per port open.
|
|
#
?
Mar 6, 2020 18:24
|
|
|
CommieGIR posted:NAT, like VLANs, is not designed from the ground up as a security feature, but it certainly can provide security controls. Don't you understand, anything that's not an absolutely perfect magic bullet for every conceivable scenario is worthless See also: VPNs, two-factor auth, password managers, tracking cookie blockers, the lock on your front door
|
|
#
?
Mar 6, 2020 18:31
|
|
|
Ah yes, it is of course perfectly reasonable to use things not designed for security, such as chroot, docker, or NAT for security related solutions. No problems will ever come of that, surely.
|
|
#
?
Mar 6, 2020 18:44
|
|
|
D. Ebdrup posted:Ah yes, it is of course perfectly reasonable to use things not designed for security, such as chroot, docker, or NAT for security related solutions. Security Controls are not about perfection, they all have their issues. Which is why understanding their risks and creating mitigation for those risks is critical. Most things used as or addressed by security controls are not designed for security. CommieGIR fucked around with this message at 18:59 on Mar 6, 2020 |
|
#
?
Mar 6, 2020 18:52
|
|
|
NAT is a security risk, not a security mechanism. It makes your network harder to reason about and does not control access. A Firewall is a perfect mechanism and, luckily, not an esoteric piece of equipment. You'd typically deploy and configure one along with NAT anyway because splitting NAT and firewall is even more insane and harder to reason about. The zen state of networking is a firewall without any NAT. Everything is straightforward, no weird package mangling to keep in mind.
|
|
#
?
Mar 6, 2020 19:14
|
|
|
Naturally, all software has bugs and even with high-quality software at "only" 1000 lines per bug (versus 100 lines per bug for average-quality), there's no escaping that fact. My point is that if someone sets out to make something for security, they almost-universally tend to put a little more thought into the design than if it's something that they're just whipping together as a hack to accomplish a task.
|
|
#
?
Mar 6, 2020 19:20
|
|
|
I'm more worried about silly humans getting it wrong. I've seen my fair share of NAT problems caused by humans, because NAT is actually really complicated once you get into edge cases. Fun fact: Warframe gets confused by certain types of NAT and exhibits subtle and not so subtle bugs as a result. If your NAT device does outbound port randomisation of outgoing connections the game's p2p networking will blow up.
|
|
#
?
Mar 6, 2020 19:34
|
|
|
Antigravitas posted:I'm more worried about silly humans getting it wrong. I've seen my fair share of NAT problems caused by humans, because NAT is actually really complicated once you get into edge cases. 
|
|
#
?
Mar 6, 2020 19:40
|
|
|
Antigravitas posted:I'm more worried about silly humans getting it wrong. I've seen my fair share of NAT problems caused by humans, because NAT is actually really complicated once you get into edge cases. But a firewall would exhibit the same issues. An application running on the inside doesn't know what incoming connections are allowed, so as soon as it tries to build a p2p mesh it can run into issues.
|
|
#
?
Mar 6, 2020 20:25
|
|
|
a firewall does not need to be a router, but a router has to be a firewall, is the point here i think
|
|
#
?
Mar 6, 2020 20:34
|
|
|
Truga posted:a firewall does not need to be a router, but a router has to be a firewall, is the point here i think  EDIT: Better yet, everything after the DTE was your responsibility, and if it broke you got to keep all the pieces. BlankSystemDaemon fucked around with this message at 20:47 on Mar 6, 2020 |
|
#
?
Mar 6, 2020 20:44
|
|
|
|
| # ? Jun 9, 2024 12:47 |
|
|
Antigravitas posted:
For performance, however,
|
|
#
?
Mar 6, 2020 21:15
|
|