r/theydidthemath
r/theydidthemath
It’s really not bad, you just have to rememb
Segmentation Fault - Core Dumped
I have declared war on notifications. My immediate family, two closest friends, and my boss can call me. In no other circumstances will my phone make a noise or vibrate. I will check my texts when I feel like it.
Other than a few exceptions, no apps may show the notification badge either. Discord will show DMs and mentions from one or two servers. Everything else is blocked. My work email may show unread email. I’ve even turned off banners on my work chat app. I don’t think I’ve checked my personal email in months.
All my recurring charges are paperless + autopay. That’s another notification badge I forgot about - I have a budgeting app that can show transactions. I categorize them, make sure their categories are covered, and I’m done.
On the first of the month, I pay rent and set the budgeting app categories. Then I have nothing to worry about, and near-zero distractions. My biggest pain point in life is deciding what to eat for dinner.
This is absolute gold. To the right person, this comment is priceless. Thank you for typing all this out. This is wisdom right here.
Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.
(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)
The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.
Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.
You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.
Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.
After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.
All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:
That list could be much longer, but that’s a good start.
After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.
R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.
To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)
It’s not rocket appliances
Top shelf? Disrupted my circadian rhythm
There is no such thing as easy or hard.
Give it a try, fuck it up, and give it a try again. Try not to fuck it up in the same way as the first time. Repeat until it works - it will work eventually.
It took me about 6 hours and 3 disk re-formats my first time. I was particularly bad at it. I barely knew what a disk was, nevermind a partition.
Actually I’m still not sure what a partition is.
You’ll do fine :)
I strongly recommend the NAT loopback route over attempting split-horizon dns.
Arch-packaging-haskell moment
My apologies, allow me to elaborate - grayhatwarfare.com is a cybersecurity company that crawls and indexes publicly-available blob stores, like s3 buckets, azure storage accounts, digital ocean spaces, and google cloud object stores. They offer limited search capabilities for free, no account-wall.
They are a legitimate cybersecurity company, despite their name.
My employer is working on a sensitive data scanning service, to alert clients in case their information surfaces in these buckets (even if they do not own the bucket), leveraging the grayhatwarfare api. In short, allowing us to detect and remediate the problem, which I hope you will agree is a white-hat activity :)
I do not publicly condone breaking the law. I reserve the right to criticize the DMCA tho ;)
And if google dorks aren’t interesting enough, because google does not index enough public buckets for you, then we get to learn about gray hat warfare too :)
At what point does a collection of microservices become a monolith that uses http instead of a bus 🤔
This is cyberpunk as hell, and awesome.
Unfortunately apple does not expose mac addresses to apps, so iPhone users can’t do it :(
r/theydidthemonstermath