• 0 Posts
  • 51 Comments
Joined 1 year ago
cake
Cake day: November 4th, 2023

help-circle
  • I see some comments recommending wordpress but wordpress is a security problem, especially if you’re using 3rd party plugins. It is such a bad problem that their are ‘wordpress security’ applications but even then wordpress sites get hacked all the time. If you are going to use it, it is best to let some other host handle it for you if you don’t know a whole lot about what you’re doing.

    There are many, many other content management systems out there. Some are lighter than wordpress and some heavier. They are all about posting and managing content. Most of them have some sort of user and authoring system. Once you’re webserver is set up, many are written in a mixture of php and python so setting them up is generally drag and drop with either minor configuration file edits or wizards. Many of them have sections that you can set up using a labeling/tagging system. Most of them allow you to have the ‘stories’ as private or draft where you have to actually click publish before people can view them. Some have user roles systems where you can limit viewing and even editing between different roles for sections.

    Generally, once their setup is done, they are point and click to do everything.

    Here’s a nice list of FOSS CMS’ (which includes Wordpress of course).




  • I accidentally overwrote /etc/passwd once and I allowed /boot to run out of space during a kernal update and I created a local user with the same user that was also on the realm/domain that I had joined and various bash script issues.
    Some stuff I’ve had to fix that someone else did:

    • named a file rm -rf
    • rm -rf /bin instead of ./bin – Also the fact that they had sudo was crazy and also I guess this was the second time
    • chmod -R 777 /
    • Various software bugs running swap out of space or hitting the inode limit by creating files over and over again with a timestamp in the filename and having to remove all of them because there was no backup to the OS
    • Someone disabled SELinux because something wasn’t working but didn’t tell anyone – ugh
    • Compiled java because they googled some issue and followed some old tutorial without understanding anything instead of using alternatives and symlinked the old java from /bin to /home/theiruser/java – had sudo because he was a Windows domain admin.
    • Cybersecurity guy didn’t know what some VMs did so he turned them off and figured he’d find out if/when someone complained. Caused a massive core services outage.
    • Same Cybersecurity guy deleted a bunch of data because he wanted to see how the sysadmins would respond and witness backup restorations. He did not inform anyone.
    • Cybersecurity guy above still has Domain Admin and sudo everywhere. I would have personally removed his privileged access regardless of what ‘CyberSecurity’ management thought but I was leaving for a new job by then anyway so I figured I’d just let them eventually lie in the bed they made.

    There’s more but I don’t want to keep going because it is Sunday and I don’t want to ruin it.










  • Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.

    Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.

    As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.

    I’d imagine that’s true for most people at home.


  • NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.

    The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.

    Take for example this scenario:

    You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.

    Another scenario:

    You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.

    Take for example malware has been known to spread via Minecraft.



  • It doesn’t sound so terrible. Just tracks upsells for a bonus, right? Think about what happens every single time with technology like this. It will definitely be used to create metrics on virtually everything an employee does and continue to press upward.

    If this goes unchallenged expect things like cameras watching everything you do. White collars have cameras aimed at their faces and keyboards, blue collars have them on their job sites. You’ll need to meet hard metrics to be considered at the bare minimum and also compete with others for raises/bonuses based on the data. The top competitors push the mean metrics up and up.

    It wasn’t that long ago when employers were demanding not only their employees’ social media username and passwords but also applicants. Some states passed laws specifically banning that, which was helpful and thankfully some of those states were key states where many corporations are incorporated for the immense tax breaks and also thankfully people just made it ineffective by creating obvious dummy accounts.

    Workers rights in the US much like consumer rights aren’t that great compared to other nations. Unions are trying hard to make a big come back but are being hard fought. There are big companies that continue to illegally union bust that aren’t held accountable at all.

    Companies do not need this to remain competitive and survive. They need this to maximize profits. Please consider these types of issues when you vote and write your representatives about these things going forward.


  • I disagree about ClamAV in-so-far as its vanilla virus signature database. You really should use some third party ones though you have to be careful since some like specifically malware patrol are way too general. For example, malware patrol will identify any document mentioning any drive.google.com URL a virus.

    In regards to MP, I actually submitted the offending signature to MP support and the CSR told said and I quote “Unfortunately that is not a false positive, there is confirmed malware hosted at drive.google.com.” It caught my attention because a bunch of READMEs from some github projects and some HTML files ended up in the quarantine. I asked if future signatures would include this general URL since I’m going to blacklist this specific signature and was told basically ‘yes, probably’.

    I do recommend third parties though and most are free for personal use. Some require a key and therefore some sort of sign up but it isn’t terrible except perhaps in regards to where I’m posting, some would consider it so.




  • Your immutable OS stays stable. For example, running a sudo pacman -Syu with a bunch of stuff from AUR in your Arch container for example will not bring down your OS or otherwise make it unstable. The immutable image you first install has been tested and it is the same image as the testers – same with the upgrades and updates, so long as you don’t overlap the image with rpm-ostree in this case.

    Immutability keeps your OS stable and if something does happen to go wrong, you just roll it back.

    If that isn’t something you need/want then that’s not something you need/want.