Nostr Web Client

I recently listened to a Darknet Diaries episode about the LinkedIn hack.

A russian hacker exploited a vulnerability in a public webserver for a personal website that a LinkedIn engineer self-hosted from his home. From there, the hacker was able to hop from the server, through his local network, to his work laptop. From the work laptop, he used the engineer's VPN credentials to get inside LinkedIn's internal systems and dump the databases.

That scared be into moving all my public webservers I self-host at home to a VPS.

I'm in the migration process right now, that's why my NIP-05 and lnurl are not working at the moment.

Reply to this note

Please Login to reply.

Discussion

Enki 2y ago

I am very selective about what I run from home. I have a large monthly VPS bill but if it helps midagate some of that risk im ok with it.

sommerfeld 2y ago 💬 1

I have to admit before I was like: "not your metal, not your server".

I chose sovereignty over security, without any nuance.

From now on, everything public goes to the VPS (with regular backups in case it gets taken down), everything private stays at home.

The only port I want open in my house is a single UDP port for wireguard. Good luck trying to break through that!

Michael Anton Fischer 2y ago

Life hack:

Hybrid node on VPS private channel to Tor home node.

Privacy and comfort.

sommerfeld 2y ago

If by node you mean bitcoin, then absolutely no. Not your metal no your node.

Lethal Lee 2y ago

Agree 100% with this stance.

nostr:note1n24kce5twttrnu9wyealxkkn2l74hgjeut7kmpe8sq5slm5jk60sx63n3z

Enki 2y ago

yeah thats basicly how I think about it now a days. public shit is public with lots of backups and private is behind wireguard (also with lots of backups lol)

NunyaBiznus 2y ago

Thoughts on things like Cloudflare Tunnels to proxy public facing services in lieu of opening ports on your network?

sommerfeld 2y ago

I self-hosted behind a Cloudflare proxy as well. The fact is, it's impossible to fully secure a public webserver. Any motivated and resourceful attacker can find their way in.

The web (just http, not the Internet) is inherently insecure.

NunyaBiznus 2y ago

Yeah, very true. This is why we can’t have nice things 😅

captjack 🏴‍☠️✨💜 2y ago

seems a LinkedIn PAYED engineer lacks knowledge of DMZ

sommerfeld 2y ago

DMZ is just the illusion of safety, just like containers or VMs. Whoever hacked his webserver could just as easily hack the router and from there access the local network.

Also a simple macadress spoof would be enough to enter the non-dmz network.

captjack 🏴‍☠️✨💜 2y ago

depends on skills n careless on person who setups DMZ

ContrarianAgrarian 2y ago

I’m not nearly as savvy with networking as I like so two questions:

1) Would a server (like Umbrel or Start9) that runs applications as tor hidden services solve this problem?

2) At what layer upstream is the threat mitigated? If I had two internet providers service my house that would create a gap, right? If so, is there anyway to do this via a technical mean rather than literally paying for two ISPs?

sommerfeld 2y ago 💬 9

Unfortunately, I had to make some compromises when moving public services to a VPS and locking up my home network. No more matrix synapse homeserver.

Takes too much resources on a cheap VPS. Also, I'm not as bullish on matrix as I once was. Takes too much of my own time to manage my instance, I failed to convince friends and family to use it and matrix leaks a bunch of metadata when federating with big servers.

I'll only use signal (molly), simplex, and telegram (with fake number).

nostr:nevent1qqsv3q6xgfma67tq2j56gdr5hr25fhx2559g8mvezasntsxj0jjzd6cpvemhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0dec82c33xeerqarv8psnxwtgdp3hyctsvycrxdf489uxz6rndfck5drnxpunvapjdc6kwurydvmrga3sxe48gem9ddckg6m6x4cxc0mzwfhkzerrv9ehg0t5wf6k2q3q6r0tl8a39hhcrapa03559xahsjqj4s0y6t2n5gpdk64v06jtgekqxpqqqqqqzcmzajt