Passwords should never expire: https://www.sans.org/security-awareness-training/blog/time-password-expiration-die Passwords should not be changed often: https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html Password “complexity” is – mostly – a joke: https://www.xkcd.com/936 You have been breached: https://blog.augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches Passphrases are better than passwords – and https://password.ga will generate them for you (it will also generate random passwords that pass complexity requirements) Use a password manager of some …
Continue reading a semi-permanent psa on passwords
do you leak?
It would seem I have configured {{OpenVPN}}, {{Squid proxy}}, and, to a lesser extent, Pi-hole well – none of the major sites that report IP, {{DNS}}, and other connection-related security issues find anything out of the ordinary when I’m either running “just” proxied, or {{VPN}}, or VPN+proxy. You should check yourself hereon: https://ipleak.net http://ip-check.info/?lang=en (ironic …
Continue reading do you leak?
4 places to check your website’s ssl/tls security settings
Qualys – https://www.ssllabs.com/ssltest High-Tech Bridge – https://www.htbridge.com/ssl Comodo – https://sslanalyzer.comodoca.com SSL Checker – https://www.sslchecker.com/sslchecker
on entropy, password/passphrase complexity, and if you’ve been part of a data breach (spoiler alert: you have)
I wrote an article on passwords, passphrases, entropy, and data breaches for my employer’s blog: https://augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches
what is “plan b” for iot security?
{{Schneier}} has a recent article on security concerns for {{IoT}} (internet of things) devices – IoT Cybersecurity: What’s Plan B? We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference. We need a …
Continue reading what is “plan b” for iot security?
how did i never know about .ssh/config?
I’m sure folks have tried to explain this to me before, but it wasn’t until today that it finally clicked – using .ssh/config will save you a world of hurt when managing various systems from a {{Linux}} host (I imagine it works on other platforms, too – but I’ve only started using it on {{CentOS}}). …
Continue reading how did i never know about .ssh/config?
improve your entropy pool in linux
A few years ago, I ran into a known issue with one of the products I use that manifests when the {{Red Hat Linux}} server it’s running on has a low entropy pool. And, as highlighted in that question, the steps I found 5 years ago didn’t work for me (turns out modifying the t …
Continue reading improve your entropy pool in linux
can you disable encryption on a windows server?
This was asked recently on Server Fault. I’m asking if there’s a way to prevent files from being encrypted. I’m referring to some extent to ransomware, but specifically I want the following scenario: Windows File server w/ shares (on the E: drive) I want a way to tell the above server “don’t allow files on …
Continue reading can you disable encryption on a windows server?
dave winer is wrong
Or maybe he’s right. But for the wrong reason. Over on Medium, which is where I saw his post, Dave said: “The problem of requiring HTTPs in less than 140 chars: 1.Few benefits for blog-like sites, and 2. The costs are prohibitive. There’s actually a #3 (sorry) — 3. For sites where the owner is …
Continue reading dave winer is wrong
keep your wordpress installs up-to-date
I run several websites on my server – nothing heavy, just some various vhosts for {{Apache}}. Many (but not all) of them run {{WordPress}}. At some unknown point (and I haven’t kept the crap that was being used around), over 100,000 files were uploaded to the root directory of one of the websites (the only …
Continue reading keep your wordpress installs up-to-date
apps on the network
{This started as a Disqus reply to Eric’s post. Then I realized blog comments shouldn’t be longer than the original post 🙂 } The app-on-network concept is fascinating: and one I think I’ve thought about previously, too. Hypothetically, all “social networks” should have the same connections: yet there’s dozens upon dozens (I use at least …
Continue reading apps on the network
integrisure – the business that never was
For a long time I have been interested in real, actual, legitimate security. I am not a fan of the widespread use of security theater in our “post-9/11 world”, as {{Bruce Schneier}} calls it. Integrisure was supposed to be a real-world {{pentesting}} of “secure” facilities, a la Sneakers. In late 2000 / early 2001, I was working on …
Continue reading integrisure – the business that never was
on-demand, secure, distributed storage
In follow-up to a friend’s blog post on TrueCrypt, and in conjunction with some previous investigation and interests I have had, I am wondering how difficult it would be to run a tool like MooseFS in conjunction with TrueCrypt to provide a Wuala-like service as a plausibly-deniable data haven a la {{Cryptonomicon}}.
after “the cloud”
Cloud computing has been hyped for the last decade+. For those few of you haven’t heard of it and understand it, cloud computing is a computing-as-a-utility concept wherein compute (and storage) happens on systems which you may not own. That’s it. So – now that we’ve been offloading our storage, computing, and other tasks to …
Continue reading after “the cloud”
establishing a data haven cloud
In {{Neal Stephenson}}’s seminal book, {{Cryptonomicon}}, he describes the creation of a “data haven” in the fictional Sultanate of Kinakuta. Why has no-one started building such a service (or, at least not in a public way) on existing cloud services (eg {{AWS}} or Rackspace) and/or create their own global network? Data backup and replication is not …
Continue reading establishing a data haven cloud