Gareth boosted

Tor friends, relay operators, and anyone who wants to learn about Tor: Join us at Hackerspace Valencia on Thursday, March 28. blog.torproject.org/events/tor

So I'm taking down one of the BrassHornCommunications.uk routers tonight to give it a long overdue upgrade (to OpenBSD 6.4).

We're currently pushing 680Mbit/s of traffic (low because most of the Tor Exits have already been shutdown for their own upgrades).

I don't think this router has been shutdown since it was commissioned in 2015 - if you see AS28715 flapping tonight you'll know I screwed something up!

I'm not sure what's worse.

That I'm resorting to using a Cisco for tomorrows maintenance or that I have *several* rack cabinets worth of Cisco routers / switches sat here in the garage :/

The tweaking of net.inet.ip.ifq.maxlen did not go well...

APU2C4 running 5.9 - I really ought to upgrade this.

Gareth boosted

The call for papers and presentations for @eurobsdcon 2019 (September 19-22 2019 in Lillehammer, Norway) is open. Please submit your talk or tutorial proposal through the registration system at registration.eurobsdcon.org. See you in Lillehammer!

Gareth boosted

Finally got round to moving a big chunk of ablative.hosting workload from various cloud providers to colocation servers running vmd(8).

There was a hiccup however; Ablative uses v4 UUIDs or sha256 hashes for virtually all ids / tags.

The CURRENT source shows VMM_MAX_NAME_LEN to be 64 github.com/openbsd/src/blob/ma but `vmd -n` was throwing an error about the vm names being too long.

I was confused till I realized this change from 32>64 was only 4 days old!

github.com/openbsd/src/commit/

Gareth boosted

Deploying a web app:

1995:
1. FTP Perl script to cgi-bin
2. There's no step 2

2019:

All these years later and I'm still using a little softshell moleskine as my general purpose ToDo and notebook.

Only thing that I'd want is for the pages to be perforated at the spine so I can remove all the pages that are now moot.

FFS, just read a criticism of 8.8.8.8 that was, and I kid you not, "just how highly available can Google's DNS service be when it's only running on two IPs from one ISP"

This was on a *invite only* CyberSecurity platform...

We're all fucked.

I know that the folks at NCSC have bigger problems but would it kill them to hire a couple of junior infosec people, pay for Shodan accounts and work to identify the owners of all these unauthenticated samba boxes?

shodan.io/search?query=country

I regularly get emails from the NCA/NCSC about botnet / malware sinkhole hits from my ASN so it's not totally beyond their remit to do such a thing.

As soon as the press started asking questions the OAIC and First National started responding to my messages.

itnews.com.au/news/first-natio
computerworld.com.au/article/6

The breach is now closed and the "authorities" are investigating the breach.

Personal data is not something that should be hoarded, it is a toxic asset, it's borderline radioactive and businesses should respect the trust that people place in them when providing such data.

People deserve better. People deserve privacy.

Digging into the JS we find a function named js_show_resume which opens a new browser window at the following URL:
cdn.salesinventoryprofile.com/" + cv_filename

The path matches the S3 bucket and a subsequent request to the CDN URL with one of the (already opened) documents confirms we're on the right track.

I tried messaging the MD of the company offering this service but they didn't reply.

I could've waited longer but I owe nothing to the company & everything to the individuals.

I cc'd the press.

Worryingly this breach overwhelmingly affected young women whose name, home address, date of birth, phone #, email, job history & education had all been made public.

During the lull in contact I dived a little deeper into how this situation came about.

After searching for jobs with First National I found an advert that directed candidates to salesinventoryprofile.com

This website requires one to answer 300+ psychometric questions and then upload a CV.

It's all done via JS & SAJAX (PHP backed)

So, I spent some of the holiday period trawling through buckets.grayhatwarfare.com/ for personal data.

Unfortunately I found a few instances.

One of these made the news, a Real Estate agency in Australia.

The public, indexed bucket contained over 6000 CVs & cover letters, thankfully the cover letters identified the intended recipient.

I reached out to them (& the Aussie version of the UK's ICO) on Twitter but didn't hear back over the weekend or by COB Monday.

The last thing I need to do as part of my digital detox is fully adopt Mastodon over twitter.

2018 saw;
- No more smartphone
- 100% Qubes/BSD computing
- All email moved to ProtonMail
- 99% of browsing done over Tor
- All non-U2F 2FA moved to YubiTOTP

Roll on 2019!

So yeah, I forgot all about Mastodon.social and my instance at ablative.stream

I'll be retiring it this weekend as I don't have the time to maintain it and there are plenty of well maintained instances about; joinmastodon.org/

Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!