@Jimmy9008 test or demo environments should never be any less secure than production.

@Jimmy9008 said in Virtual WAF:

We will soon have a few webservers/applications

Running on which webserver(s)?
What kind of web apps, what language?

@Pete-S said in Gophemeral:

@stacksofplates said in Gophemeral:

I wrote this utility. It's for sharing secrets or any sensitive data. Instead of just emailing or texting the data, you can create a message with this service and it will encrypt the data and store it. It will only allow the message to be viewed whatever number of times you specify. It gives you back a message ID and password that you pass on to your recipient and they can retrieve the message.

You can use the hosted version, which is limited to 50 characters, and 5 days of retention. Or you can run the server on your own.

By default the server will use Fauna as a backend, but you can specify to use a local BoltDB database. The utility can be downloaded from GitLab here and the same cli tool that runs the server also interacts with the server.

https://gophemeral.com

It sounds cool but I can't see how it will be more secure than just mailing the data?

I mean you are mailing the message ID and password needed to decrypt.

That's what I believe is called the key exchange problem and the reason for asymmetric encryption and public/private keys.

And guess what happens if anyone other than you gets in your mail? Versus, what happens if anyone other than you gets ahold of the secret ID and password after you seen it. Huge huge difference, way more secure. These things are used all the time. Yes, email could be as secure, or even more... But in practice, it never is across the board.

@stacksofplates said in Gophemeral:

I'm not sure I understand the first question. The password isn't stored in the database. It's generated randomly and used to encrypt the message and then given to you. That encrypted string is then stored in the database. If you lose the password, your message is not recoverable.

Yes, that answers my first question exactly... I meant it as in the secret is encrypted within the database, such that if the DB is compromised, the secrets are fully encrypted using the password that is given to you (aka the decryption key), with no record or log containing the key.

It also plays in to Q2, which is answered

I also see that the data from the web form is sent to the server via https (https://api.gophemeral.com/api/message), which was going to be my next question but seen for myself, and obviously from the server back to me.

Awesome project!

Question, is the secret encrypted withing the DB which uses the pw to decrypt? Additionally, is the DB encrypted at rest?

@scottalanmiller said in Miscellaneous Tech News:

Finally the media talking about how AD is a huge risk. Stuff we've been saying for years.

https://www.infosecurity-magazine.com/opinions/solarwinds-on-premises-active/

It's likely the biggest enabler of lateral movement of systems that are part of it. It's crazy to consider having devices as part of an AD environment these days.

Every single place I have come in contact with lately is either moving away from it or already has. I was part of the charge for moving away from it where I'm at and it's one of the best thing to have done.

Microsoft launches Viva, its new take on the old intranet

Microsoft today launched Viva, a new “employee experience platform,” or, in non-marketing terms, its new take on the intranet sites most large companies tend to offer their employees. This includes standard features like access to internal communications built on integrations with SharePoint, Yammer and other Microsoft tools. In addition, Viva also offers access to team analytics and an integration with LinkedIn Learning and other training content providers (including the likes of SAP SuccessFactors), as well as what Microsoft calls Viva Topics for knowledge sharing within a company.

Storage Spaces on Windows Server did it automatically as well. I actually verified it in a PoC.

@dafyre said in Random Thread - Anything Goes:

@nadnerB All they had to do was put a picnic basket on the ground, lol.

Or a jar of honey

This was a great explanation! Lots of good points, well done!

Microsoft open sources the storage engine that powers Exchange Server, Office 365, and parts of Windows

Microsoft recently open-sourced the Extensible Storage Engine (ESE, once known as JET Blue).
ESE is a non-SQL database engine with more than 25 years of serviceable lifetime. It was started with Windows NT 3.51 and it still remains a core Microsoft asset to this day. Even today, Office 365 Mailbox Storage Backend servers, large SMP systems, and every single Windows client have ESE code.

@hobbit666 said in MPLS alternative:

Any link to good reading on zero-trust stuff?

This is a good start:

https://www.nist.gov/publications/zero-trust-architecture

@hobbit666 said in MPLS alternative:

So following on from another thread.

I'm today's modern day how would you handle:-

*Multiple site connections around 60 sites.
*Internet access via a firewall for "security" either at a single point or something per connection? Nice to have Intruction detection blah blah blah and content filtering. Will need to allow certain ports in and out (I know this is normally standard on Firewalls/UTMs but worth mentioning)
*semi managed with high SLA.

How would multiple vpns be handled. Would it be a case each sites router would have multiple vpns to each site? Or a single VPN to a singe "master" site/device.

This kind of thing makes me laugh a little, because it seems all the worst hacks and breaches to companies and networks have nothing to do with someone breaking into the network in all the ways your entire post is putting about LAN based security.

Why no intent towards a Zero Trust architecture?

@scottalanmiller said in Miscellaneous Tech News:

@mlnews said in Miscellaneous Tech News:

Google halts Play Store 'review bombing' by GameStop traders

Google has removed a wave of negative reviews of popular stock-market trading apps targeted by furious investors.
Platforms such as Robinhood have been hit after preventing independent traders buying GameStop and AMC shares. Users of a Reddit message board had managed to upset the market by buying the shares and inflating their value, hitting established hedge funds. Many online traders, feeling betrayed by Robinhood's restrictions, have hit back with critical reviews of the app. Google has removed tens of thousands of one-star reviews for the widely-used trading app - which had previously had a four-star average. It says it takes action when it sees "fake ratings", designed to manipulate a product's average score.

AKA Google artificially inflates Robinhood ratings to make it look better than it actually is.

"Review bombing" isn't exactly what's going on, not when RH had a day of totally screwing things up, then people reviewed them. Yes, it's tons of bad reviews all at once, but for a lot of legit reasons. Google taking them out, to me, constitutes an attempt at securities fraud (and I wrote to the House oversight board last night stating the same thing.)

Apparently it's not the fault of Robinhood they halted buying certain stocks. CEO of Webull explains why in here:

Youtube Video

@wirestyle22 said in Recommendations for a new switch rack for my home:

So, as many of you know we have moved into our new home. The construction was completed in June. When we moved, a lot of stuff was pure chaos and organization kind of went out the window. This unfortunately includes my switch rack as you can see below. @BRRABill was kind enough to give me an old rack his company was getting rid of (Thanks Bill!) and it's served me well up until now. I've gotten to the point where I've taken care of mostly everything else and now I want to replace my rack with something that has a lot of cable management options and looks aesthetically pleasing.

Pics of what I have now:

This was put together pretty quickly so pardon how gross it looks. That's why I want to fix it.

I've had good luck with these in homes:

https://www.amazon.com/Tripp-Lite-SR42UBDPWD-Enclosure-Cabinet/dp/B003PC31UQ

@DustinB3403 said in Hyper-V Manager Remote Delegation Permissions Denied - 2012 R2:

@Obsolesce Except this is in a domain and that's literally all that was required.

So again, get bent.

Even worse then IMO.

He already covered what your screenshot shows here: https://mangolassi.it/post/358112

And it wasn't the issue.

@DustinB3403 said in Hyper-V Manager Remote Delegation Permissions Denied - 2012 R2:

Hopefully others find the OP post useful.

Doubtful, there's way more to it than your little tidbit, and nobody would want to sift through 100 replies in the reference post. It's best to use a full tried and true guide like here:

REMOTELY MANAGING HYPER-V SERVER IN A WORKGROUP OR NON-DOMAIN

Microsoft FY21 Q2: Earnings Reach $43.1B Revenue as Cloud, Xbox, and Surface Thrive

Microsoft FY21 Q2 earnings show the company continues to record growth across almost all its product and service divisions.

@Dashrender said in Miscellaneous Tech News:

@scottalanmiller said in Miscellaneous Tech News:

Remember the discussion recently where I felt that security researchers and vendors being allowed to keep secrets from the people that they know are at risk is bad? Well I'm definitely not alone.

https://www.theverge.com/2021/1/26/22250060/google-threat-analysis-group-north-korean-hackers-cybersecurity-researchers-social-engineering

I don't see the connection between your comment and the article.

The connection to be made was between a previous discussion and the article. His comment was referring to the link between the two.

For us, a large company, HR sends out a template to copy/paste from their email we add to signature setting.

Never have to worry about it or manage anything until the company logo or your job title changes.

Easiest IMO. Everyone at the company does fine with it that way.