Collaborate Disseminate
Tools like Ansible Vault, CNCF SOPS or Chezmoi make it easiy to keep secrets encrypted in version control, so that you can publish the repository, but still use the secrets inside when deploying. This is very common when sharing system con… Continue reading Is it safe to publish encrypted secrets in a git repository?
I’ve got an application that isn’t very robust and, as a result, is very sensitive to anti-virus scanning. I tried both the basic/free Windows Defender and a NextGenAV (i.e., SentinelOne). Both had negative performance impact on the app’s … Continue reading Offline Anti-Virus Scan for Server
Why… Just Why…
Due to Shopify being unwilling to modify security headers further then removing them, the Cloudflare "Orange-to-Orange" problem (since Shopify uses Cloudflare as well), and my unwillingness to write a whole fro… Continue reading Selective frame busting without HTTP headers
Any security benefit to winmgmt operating outside of shared svchost processes via the command
winmgmt /standalonehost ?
As for security, yes, it is useful for changing wbem Authentication levels, which is changed by the command winmgmt /st… Continue reading Hardening WMI: Any security beneifit to "winmgmt /standalonehost"?
Question #1 Does changing the Default Impersonation Level in WMI to "anonymous" or "identify" help mitigate against WMI exploitation, implants, and persistent threats on a local machine? If so, please explain why… and… Continue reading Hardening WMI: Any security benefit to changing Impersonation level & separately, setting ‘Winmgmt Standalonehost?’
Using iptables, how do I drop an entire subnet that I am connected to, except for the gateway, in a manner that still allows me to retain my connectivity to it?
I’m looking for two iptables rules, one for just incoming, and another for out… Continue reading How to block entire subnets except their gateways with iptables? [migrated]
10 minutes after installing Nmap on a fresh install of windows, NMap loaded on its own and attempted to scan dozens of IP addresses around the globe. I never initiated the scan. Notice the source address is different than my own IP 192.168… Continue reading Nmap loads on its own, scans addresses, with a different source address than my PC. How is this possible?
I bought a used laptop and I’m concerned about the integrity of the firmware on the hardware and bios. I realize these types of malware are very rare.
1) My question is that if I assume that the BIOS or SSD or NIC firmware i… Continue reading Used laptop with potential BIOS/SSD firmware malware
I am using crytsetup with LUKS to encrypt a data drive, separate to the system drive, under Ubuntu 16.04. The issue I am facing is that this system will also be required to automatically start itself up in the event of power … Continue reading Disk encryption with automatic reboot and no-network
Visiting facebook.com you will query s.update.fbsbx.com. s.update.fbsbx.com is a CNAME to s.agentanalytics.com. Currently, the only way to block s.agentanalytics.com is to block s.update.fbsbx.com via hosts. Windows DNS clie… Continue reading Securing DNS by blocking querys AND responses [Dnscrypt questions]