doorsopen | 1 year ago | on: Thoughts on having SSH allow password authentication from the Internet
Port knocking is so 2014. Single Packet auth for publicly exposed hidden services is great: https://github.com/mrash/fwknop
doorsopen's comments
doorsopen | 1 year ago | on: Thoughts on having SSH allow password authentication from the Internet
As someone who works with SREs every day, this breaks my heart.
1 - Don't be on-call while going to ski
2 - fail2ban and other automated systems can do this for you
3 - Passwords suck and are typically not regularly rotated unless you're using some centralized IdP
If you're in this situation you have already failed. If you use password auth use 2FA as well, and then I don't cry, it's just toil though.
doorsopen | 3 years ago | on: UK Government scans all web servers hosted in the UK for vulnerabilities
Someone types in your new server/domain, like "ijustmadethissite.com", or "newlocation.existingsite.com"
For their computer to resolve this domain name, it's going to call out to a DNS server, of which Google hosts a major one. It can be assumed that they log these names, and can then use that as a "notification" for a site coming up.
doorsopen | 3 years ago | on: Kill Bill – Open-Source Subscription Billing and Payments Platform
Maybe an uninformed question, but I tool a look at the documentation, the stripe plugin demo, and then looked at what stripe offers. As someone who uses neither but might be interested in subscription + shop type purchases, what do I get with KillBill+Stripe that I don't with just Stripe?
doorsopen | 3 years ago | on: Splunk IP suit against Cribl
I think the line is drawn at actual stealing. In this case, they're not redesigning the protocol from memory or black box testing. Allegedly they took several specs of the protocol from former employees. Even then, apparently the founders were involved in some of the Patent filings from splunk that they are accused of violating. You cant claim IP for a company in the form of a patent and then turn around and re-implement that IP. You clearly believed it was patent-able since you patented it. There's ways of doing this (clean room dev) if you wanted to do that without infringement. (I do feel a lot of the patent claims in the lawsuit are typical generic weak software patents)
Really egregious is taking the sales data. Business analytics around leads, customer satisfaction, pricing, etc are not the same as retaining general knowledge. If you left and remember the point of contact you had at a customer, that's allowed (barring non-solicitation agreements). If you leave and you take a list of customers, data that the business has generated about them, etc, that was never yours and it's not your knowledge. It's clearly the business's and there's usually dozens of people involved in the creation. That's clearly theft, especially since it was never yours to begin with.
doorsopen | 3 years ago | on: Splunk IP suit against Cribl
From the lawsuit looks like the most clear cut evidence they have is:
- Founder publishing a private protocol definition to help in building for it
- Sales staff sending account and prospect info to their new cribl email addresses before leaving Splunk
- Engineers leaving Splunk with technical specifications, such as their newer S2S protocol versions
The patent stuff is kind of whatever, but all three of those items would be enough to establish some very clear damages. Cribls an exciting new player but they can't take shortcuts like this, if the allegations are founded.
doorsopen | 3 years ago | on: DOE to invest up to $165M to advance domestic geothermal energy
Does the term Geothermal apply to long-duration thermal driven power generation? I have a design for a large scale tidal power generation system, and as global warming continues it becomes more beneficial. Does that count?
doorsopen | 3 years ago | on: Plex: Important notice of a potential data breach
I've switched to using jellyfin and i've never looked back.
page 1