I run easy-rsa on a linux box. Just manually generate CSR’s and sign them via SSH.
And simply trust the CA cert in windows, linux and whatever extra places (normally firefox cert store).
Post the crl.pem to /var/www/html/ and let NGINX use that.
For most things public like plex or whatever i just use letsencrypt. Easy-rsa is really just for internal stuff like my NAS, VPN etc.
I have 3.
Dakboard above the fridge shows calendar and shared photo album. It also runs bluetooth and serves as a relay for Homeassitant and a few kitchen devices (ie: igrill mini probe for meat).
pikvm for a desktop
pikvm+ kvm for lab rack esxi servers.
the latter two also run tailscale and allow me to SSH proxy if needed as a back VPN/remote access utility.
There is also a 4th. It runs NUT/UPS tools for their network gear and a mail relay for alerting and also tailscale so I can proxy if necessary.
Since its tailscale etc. Only key based auth is allowed on these boxes.
Honestly the only thing I can think of is the competition recently to hack a satellite, maybe has drawn the ire of some script kids, or rather interest. [1][2][3] I LOT of educational and research stuff is quite open, and often very resistant to change as they value access/transmissibility over security in many cases where theres no real grounds (ie: its not national secrets etc). Some of these datasets are quite large.
Even still basic things like firewalls, key based access etc should be setupo. Heck if its a multi-million dollar instrument airgapping is probably worth its time. But i dunno. Just conjecture on my part.
The competition definately brought some attention [4]
FWIW he says this in the beginning of the video.
I pay 95 for 400/12 and 1.2 TB. Count your blessings.
Yeah im similar. I still use 1080 monitors and just 2 at a regular workspace. Its about the perfect DPI for reading text. Things like 4k just make it harder or you have to bump up the fractional scaling, in which case why the more pixels?
Im fine to keep it to a laptop monitor when im mobile, and 2+laptop monitor for email when at a desk.
Beeper does want you to proxy your iCloud account through a Mac on their network for iMessage. You are logging into your iCloud account through their site. They are in effect using Mac minis in a farm to provide the service based on what I looked into (including self hosting it, but then you can’t use a beeper app, you need your own)
https://help.beeper.com/chat-networks/imessage?from_search=125277302
Any company that I have to give my username and password for a third party service (and especially one as important as icloud/imessage) ill take a hard pass.
I have a guy that does this. He puts so much effort in weird mobility solutions (ie: Dual monitors on a rolling table so he can work outside sometimes) or having a setup like this with TV’s, monitors etc all cobbled together.
Would you be surprised to hear hes not the most organized or efficient.
Possibly. What i was hearing seemed more like some weird DB/code gremlin thing. But I dunno. Literally never run it.
Also i think the deployment type was invovled. Maybe it was a docker specific thing??
I’ve been seeing them everywhere.
Those self service terminal at autozone? Pi’s.
Multiple threads people have mentioned random crashing, DB issues and nonsense/useless log outputs that don’t help find a cause and just require you to restore from backup.
No way I’d consider it for business use.
After the stability issues I’ve heard. I wouldn’t even consider nextcloud for my family at this point.
At this point i just interpret AI to be "we have lots of select statements and inner joins "
Can help with all of them. But check out opnsense.
Oh yeah. Of course old tpm (1.2) that was the only key to the Castle isn’t great in the hand of someone with some know how and alligator clips since it communicated in clear text at the bus level so key extraction was possible. But for most folks security model, who cares. If it was a risk the business handled it with a pass phrase and tpm.
Apple does security prettt well and integrated too. Especially for most that don’t care.
Im gonna be honest. I stopped reading here.
There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.
I do not recommend using a smartphone for banking. You’re asking for a huge attack surface & it’s reckless. People will do it anyway but to suggest that people should avoid Tor for banking on the basis that you’re assuming they are using a phone is terrible advice based on a poor assumption. Use Tor Browser from a PC for banking. That is the best advice for normies.
again, the article is about “normies” using tor to get it to lose its stigma… The only way it gets de-stigmatized is for “normies” to use it. The way “normies” access things is vastly different. There are risks to that. And its not just banking. Getting your email account hacked because you used it on a malicious exit node for one reason or another is just as bad, if not worse. Tor exit nodes are wholesale more malicious than your ISP.
I dont know why you are getting hyper fixated on specific use cases that were used as broad examples. Banking isnt the point its the general use of TOR and the risk it brings. Forest for the trees my guy.
Have a good one. We’re done here.
Good security comes in layers (“security in depth”). TLS serves users well but it’s not the only tool in the box.
Im glad we agree. Because its the entire point. You are nitpicking where it suits you and thats not really honest conversation. Tor browser isnt the only way to access tor and if you are talking about making tor more accessible using things like phones is going to be needed. There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.
And on a device with something like CalyxOS (or built with the app structure like calyxOS android based apps) that opens up a LOT more applications to using tor, some of which arent going to be locked down or configured appropriately. Its riskier. You seem to implicitly agree as you only pointed to a single example of XSS and just ignored other examples I provided…Surely we dont need to iterate through every attack vector out there? Because the point isnt those minutia there.
The point is, again, that Tor and specifically exit nodes are more hostile than normal ISP relays. They are actively malicious and often looking to exploit anything they can. Saying selling metatdata that is unencrypted is the same level of malicious as a nation state going after you (life and death) or having your identity or bank account stolen is clearly pretty naive. Even having your banking comprimised is a giant show stopper and theres no “well i have protections” flag to waive. You still have to deal with getting your funds back and paying for stuff to live in the interim. Its a very invasive process. Comparing that to an ISP selling your DNS queries (which im not even sure happens) is literally apples and orances
Those threat models all have a common denominator: mass surveillance. It is safe to assume mass surveillance is in everyone’s threat model as a baseline.
Thats a bad assumption. MOST people arent really concerned with it in the western world. Its why the apparatus exists. And thats not a Trump thing. its existed WAY before trump. Snowden showed that and it was Obama, not trump, that went after whistleblowers harder than any predecessor before them. Its why Snowden is still in exile to this day. Further trying to make this about “party” sides is a bad idea. Its something all parties, including most countries are not only a party to, but actively collaborating against. And there are some areas where straight access TOR is illegal and can get you in trouble. ANd the mass surveillance one country does (ie: US) is much different than another (ie China) so again its not just a giant brush to paint with there. Piping all data through Tor would make you look more suspicious in some of those latter countries and could increase your risk to fingerprinting or tracking, rather than selectively using it where and only when needed.
Copy them to the box. Sign them. Copy the cert file off the box back to the requester.