I think people would be surprised how much of the worlds infrastructure just runs on top of ordinary Windows computers, not fundamentally much different from your home PC.
A single buggy kernel driver update from CS Falcon is showing it.
Even grocery store checkout machines aren't safe.
nostr:note10ketur3c65s84he33z9q9jwqzxxy845epas9qlcxggfuynfed48qyx8ln7
miss that old @, btw this was in response to me drawing fanart for this guy
twitter.com/ArgyleAchilles/status/1389116663522480132
I am racist
nightcore time
youtube.com/watch?v=cr1ApdTn6JY
meme nickname 4chan people created for niggy
Y
nostr:npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqw I could go that far, but I really just settle for a 100% free software BIOS with a SPI flash chip that can't be written without root access and no proprietary software runs as root either, as I doubt the glowers have dedicated resources to getting me...yet.
"Secure boot" is not a basic security feature, as it gives a false sense of security, as it's extremely trivial to bypass, as clowns have signed every proprietary binary under the sun under the root UEFI certificates.
Although there are revocation lists for known buggy binaries, those revocation lists are extremely rarely ever implemented.
Really, the only way to achieve a similar level of security than Grub gpg signing is to disable all the default UEFI root certificates and load up your own keys.
these security features do work friend, they make our lives very difficult. it's hard to get a malicious UEFI binary signed, it's a significant barrier to the vast majority of attackers. If I went online
now and tried I couldn't do it
yes friend it sounds like that could work, anything beyond that depends on your needs. eg could even set up your clients on individual vlans to monitor and control traffic per-client at the router level
nostr:npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 this is correct (and what I would recommend to a client/org) but this is a hard sell for FOSS projects where you don’t control the OS or network layer. Best OSS projects can do is include a bunch of init runtime checks for the vulns and warn that external (to the software) config changes need to be made for security.
Then you get 9,999 GitHub tickets asking “how do I enable DNS rebind protection for
no real way to protect against dns rebinding in a standard web app codebase unfortunately, it's a system-level issue. would have to handle dns resolution in the app itself which is impractical
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m question, how TF do I prevent SSRF without setting up an outbound proxy server? Doing DNS lookup I assume will destroy performance, and caching the lookup makes it vulnerable to timing attacks. The internet is broken
easy way is on the system use dns server with rebinding protection (most do) and just disable ipv6. that just leaves simple input validation for ipv4 rfc1918/link-local, could just block ipv4 urls completely
yes friend that makes sense, standard managed switches should work, just set up connected to the router with port isolation
the setup for how switches connect to the router depends on bandwidth requirements more than anything, you could connect multiple switches to eachother as long as the link to the router can handle it
for a smaller operation with a couple hundred connections you should be able to get by with pretty normal networking gear and setups without anything too special
hello friend do have a scale in mind for your ISP? there's no technical reason you can't be a boutique provider of just direct fiber lines to a pfsense router, though that's not how normal large corporate operations work
hardware/software choice mostly varies by region in my experience, choices just based a lot on commercial support. mikrotik is popular in the middle east area so maybe that's why you've seen it a lot
thank you friend, not the full report but I have posted a redacted version here, should be a few posts down on my timeline
nostr:npub1c5j34xxc6lj37y7ymd3dqtn8lr7v77evk973gumh3dg9g5q2e0jq00emu0 friend can you translate these lunar sigils?
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub12haw8lqt6g57r8zk9vc7w32cezuu2d5tcqpsarquntgfl5n0wrjq8nxxk6 >Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.
Also there's nobody auditing it. As jank as Mastodon is, they have processes for dealing with this too and a bug bounty.
don't worry friend, I am auditing it