[-] kristoff@infosec.pub 7 points 2 months ago

ah. That looks very interesting. And they have a show here in the EU, and it seems to work with gadgetbridge (thx Lambda RX :-))

Thanks!

45
submitted 2 months ago* (last edited 2 months ago) by kristoff@infosec.pub to c/linux@lemmy.ml

Hi all,

Simple question. Does anybody know a (not to expensive) sportswatch that is supported by Linux / FOSS software?

(Yes, I know 'FOSS software' is two times the word software) ๐Ÿ˜€

7
apps .. repo or not (m.krbonne.net)
submitted 2 months ago* (last edited 2 months ago) by kristoff@infosec.pub to c/cybersecurity@infosec.pub

Hi all,

Interesting problem. An open-source project gets their app removed from google play, so they post a message on mastodon that -for the time being- you can download the app via direct download.

I post a reply saying that directing people to a direct link is not a good idea, as hackers could start doing the same to spread malwhere, better use an official repo (like f-droid, where they are already on).

A typical problem of somebody who writes a genuine post, but without realising it himself writes something that is very close to what a phishing message would look like.

However, this got me thinking. What you want to avoid is that people get used to the idea that it is OK to download and install apps from a random URL. But if you point people to f-droid, they need to also download the apk for that, and configure the security on your phone that apk's downloaded via may be installed.

I guess, the later should surely be avoided as most people will then leave that option enabled. (I had to search deep into the security setting to find the option to switch it off again).

What are your opinions on this? What would be the best way to do this and not teach people bad security habbits?

Direct download or f-droid? Other ideas? Is there a good sollution for this?

Kr.

[-] kristoff@infosec.pub 5 points 3 months ago* (last edited 3 months ago)

Protection of citizens against unjust ruling by a court is a protection-principle of democrary.

Why would you grant such a protection to an organisation aimed at destroying democracy (X/twitter)?

[-] kristoff@infosec.pub 7 points 3 months ago

Wauw! So many answers in such a short time. Thanks all! ๐Ÿ‘ (I will not spam the channel by sending a thank you to all but this is really greatly apriciated)

Concerning ncurses. I did hear of it but never looked at it myself. What is not completely clear for me. I know you can use it for 'low-level' things, but does it also include 'high-level' concepts like windows, input fields and so?

The blog mentioned in one of the other posts only shows low-level things.

56
submitted 3 months ago by kristoff@infosec.pub to c/linux@lemmy.ml

Hi all,

Perhaps a stupid question. Some time ago, I received a rpi zeroW as a gift, but as I did not have any use for ii I passed it to somebody else in our electronics-group. Now, that person has had a +30 year carreer as self-taught programmer -starting out with BASIC on DOS machines- so he showed of some of his old BASIC applications in dosbox on the pi.

So far so good, but he had an interesting question: Years ago, I wrote a library in BASIC for screen / window applications in DOS. (you know, pop-up text-windows and so on). How do I do that on linux (in C)?

As I myself only do 'backend' coding (so no UI), I have to admit I did not have any answer to that.

So, question, For somebody who has mostly coded in BASIC (first DOS and later Visual Basic) and now switched to C and python, what is the best / most easy tool to write a basic UI application with window-function on linux/unix. I know there exist things like QT and ncurses, but I never used these, so I have no idea.

Any advice?

Kr.

[-] kristoff@infosec.pub 28 points 3 months ago

This is a typical mail a phishing campaign would send out, and we have already said to people "never believe this kind of messages. They are all fake.

Now, if a genuine company sends out mails with a genuine gift-cards (what the article on techcrunch seems to indicate) .. this is NOT helpfull at all!!!

And that comming from a cybersecurity company (rolling-eyes)

11
replacing memories (infosec.pub)
submitted 4 months ago by kristoff@infosec.pub to c/cyberpunk@lemmy.zip

An open question, related to cyberpunk culture.

Considering the possibilities of current social-engineering as used by social media and desinformation, to what degree ido you think it is now possible to 'implant' fake memories into somebody's consciousness, without that person noticing it.

23
submitted 10 months ago by kristoff@infosec.pub to c/selfhosted@lemmy.world

Hi all,

Well, my question is in the title of of post. :-)

Does somebody know if there exists an easy sollution to share files to users (e.g. members of an organisation), based on the fact that the user is known in a SSO (authentik) ?

I know nextcloud would be an option, but that would create a nextcloud account for all the users, .. which is quite overkill for what is needed here.

I know we can probably build something based on apache, PHP or so, .. but if there would be a ready-to-use service for this, that would be nice. (and probably a lot more secure then what I would build myself :-) ).

Kr.

[-] kristoff@infosec.pub 5 points 10 months ago

Yes. Fair point.

On the other hand, most of the disaster senarios you mention are solved by geographic redundancy: set up your backup // DRS storage in a datacenter far away from the primary service. A scenario where all services,in all datacenters managed by a could-provider are impacted is probably new.

It is something that, considering the current geopolical situation we are now it, -and that I assume will only become worse- that we should better keep in the back of our mind.

[-] kristoff@infosec.pub 4 points 10 months ago

The issue is not cloud vs self-hosted. The question is "who has technical control over all the servers involved". If you would home-host a server and have a backup of that a network of your friend, if your username / password pops up on a infostealer-website, you will be equaly in problem!

[-] kristoff@infosec.pub 5 points 10 months ago

Well, the issue here is that your backup may be physically in a different location (which you can ask to host your S3 backup storage in a different datacenter then the VMs), if the servers themselfs on which the service (VMs or S3) is hosted is managed by the same technical entity, then a ransomware attack on that company can affect both services.

So, get S3 storage for your backups from a completely different company?

I just wonder to what degree this will impact the bandwidth-usage of your VM if -say- you do a complete backup of your every day to a host that will be comsidered as "of-premises"

93
submitted 10 months ago by kristoff@infosec.pub to c/selfhosted@lemmy.world

Hi all,

As self-hosting is not just "home-hosting" I guess this post should also be on-topic here.

Beginning of the year, bleeping-computers published an interesting post on the biggest cybersecurity stories of 2023.

Item 13 is an interesing one. (see URL of this post). Summary in short A Danish cloud-provider gets hit by a ransomware attack, encrypting not only the clients data, but also the backups.

For a user, this means that a senario where, not only your VM becomes unusable (virtual disk-storage is encrypted), but also the daily backups you made to the cloud-provider S3-storage is useless, might be not as far-fetches then what your think.

So .. conclussion ??? If you have VMs at a cloud-provider and do daily backups, it might be usefull to actually get your storage for these backups from a different provider then the one where your house your VMs.

Anybody any ideas or remarks on this?

(*) https://www.bleepingcomputer.com/news/security/the-biggest-cybersecurity-and-cyberattack-stories-of-2023/

24
submitted 10 months ago* (last edited 10 months ago) by kristoff@infosec.pub to c/selfhosted@lemmy.world

Hi all,

Short question. Does somebody here run authentik as single sign-on provider? (dockerised?)

I'm looking for information on how to best backup a authentik server? Just do a backup of the postgres database and the docker-compose file? Something else? How crucial is the dump.rdb file of the redis container?

Kr.

14
submitted 11 months ago by kristoff@infosec.pub to c/selfhosted@lemmy.world

H all, Somebody here selfhosting jitsi meet?

I am working on a jitsi-meet setup for an organisation, now looking at the options for redundancy.

I have noticed you can configure multiple XMPP servers on the jitsiivideobridge. What is the exact goal of this?

Can you connect a jvb to multiple jitsj servers (domains)? or is this only for making the jitsii backend redundant?

Kr.

[-] kristoff@infosec.pub 7 points 1 year ago* (last edited 1 year ago)

Hi,

What is the reason you do not want a domain? it is not that DNS-domains are that expensive these days. The cheapest option I found is .ovh (which is one of the major cloud-providers in France), which is 3 euro / year (+VAT). You can then put as much hosts or subdomains under it, and it supports dynamic IP.

Agreed, .ovh is not the most "professional" looking domain, but it depends on what you want to do. If your goal is simply to have something for yourself / family / friends, then this is good enough.

BTW. Having your own domain for a nextcloud instance has additional advances: you can get a real https/tls certificate from letsencrypt, and -if you put a reverse proxy in front of your NC- it shields you from people who just scan the complete IP-space of the internet but who do not know your domain.

45

With jitsi meet now requireing registration (something I do understand, .. but I just happen not to have a google, MS or meta account), I am looking at selfhosting a jitsi meet for personal use.

Has somebody already done this? What are your experience? What are the hardware requirements? Docker or native? Linux or other OS? (FreeBSD)?

[-] kristoff@infosec.pub 5 points 1 year ago

or a one-way trip from a window on the 10th storey of a building all the way down to the ground.

12

Hi all,

Small question. Does anybody know if there already exists a lemmy community on disinformation (in the infosec area or more broadly)?

Thanks! :-)

Kr.

3

Hi all,

Had a small chat on #AI with somebody yesterday, when this video came up: "10 Things They're NOT Telling You About The New AI" (*)

What strikes me the most on this video is not the message, but the way it is brought. It has all the prints of #disinformation over it, .. especially as it is coming from a youtube-channel that does not even post a name or a person.

Does anybody know this organisation and who is behind it?

Is this "you are all going to lose your job of AI and that's all due to " message new? What is the goal behind this?

(Sorry to post this message here. I have been looking for a lenny/kbin forum on disinformation, but did not find it, so I guess it is most relevant here)

(*) https://www.youtube.com/watch?v=qxbpTyeDZp0

7

I do not think this has already been mentioned. As I guess most of you are also an mastodon (or another fediverse-enabled playform)

More info also here: https://github.com/revengeday/blackhand-mastodon-bot

[-] kristoff@infosec.pub 4 points 1 year ago

A /48 is quite overkill for a home customer. Do you have 65536 LANs at home? Here in Belgium, we get a /56.

[-] kristoff@infosec.pub 7 points 1 year ago

just out of interest .. somebody here on satellite? I am interested to know the prices for sat services out there?

[-] kristoff@infosec.pub 6 points 1 year ago* (last edited 1 year ago)

I dan't know if this is still valid but I used to be told to have different partitions for your system, logs and data (home directories) .. and have the swap-partition located in between them. This was to limit the distance the head has to move when reading from your system starts swapping.

But if you use a SSD drive, that is not valid anymore of course :-)

Kr.

view more: next โ€บ

kristoff

joined 1 year ago