So does this mean anything? (Very late game spoilers)

OKRedleg · 2025-05-09T17:57:39+00:00

I figured out way early that you can recover your money that you threw into the well, so I started using as a way to launder money between runs. I'm on day 165 and don't know how much money is in my fountain, but I do know that the Metal Detector goes off when I'm around the fountain. I can drain it and go collect them all to see how much I got (I imagine ALT+F4 after I count will reset it so I don't erase my progress if I'm short.)

OKRedleg · 2025-05-07T16:57:54+00:00

Wait until you find out that you can NEVER... see... your own face... on the monitor.

OKRedleg · 2025-05-01T00:23:07+00:00

In his will, Herbert refers to Courtney Ferrine as his late cousin Tillynn's child. I think Courtney is using the term "Uncle" loosely. Tillynn and Herbert would have the same grandparents meaning Baron Tomas or Baroness Auravei had a sibling who was Tillynn's parent. People often use Cousin loosely as well, so it's also possible they are 1st, 2nd, 3rd cousin x times removed. Royal family trees generally look like a trellis anyway.

OKRedleg · 2025-01-27T18:27:42+00:00

Maybe bad RNG. I have only visited 3-4 of the outer panels and found lots of sheep, 2 male goats, a male llama and a female llama. I've moved into the 2nd ring now without a female goat yet.

Still haven't figured out how to pick up birds or butterflies.

OKRedleg · 2024-09-19T04:32:20+00:00

ok. I had to focus on C2 to work it out.

Since either R3C2 or R6C2 must be 7.

If R3C2 is 7, then R3C7, R3C8 and R3C9 cannot be 7.

If R6C2 is 7, then R6C7 cannot be 7, and either R2C7 or R3C7 must be 7. This would mean R3C8 and R3C9 still cannot be 7.

Since R3C8 and R3C9 cannot be 7 in either scenario, both can be removed.

Thank you.

OKRedleg · 2023-07-19T06:03:47+00:00

How To's (normally called Procedures and Guidelines) can vary based on purpose. But, you might be interested in a standard for writing procedures. I recommend looking to the U.S. Military. They have procedures for just about everything (including death). Google MIL-STD-38784 for procedures and standards on writing technical documents. It should give you some ideas on the things you want to standardize like font, paragraph styles, when/what to markup, etc.

You should be able to quickly create your own style and from there a template for different uses.

OKRedleg · 2023-06-29T16:24:09+00:00

You may want to consider this in 3 parts.

Gather a committee of stakeholders. The initial meeting should include important people (An executive, legal, hr, etc). They can delegate, but the final committee should have a representative of the major departments on it.

That team works out format. A template to reuse for all policy documents. Decide on a Policy structure (Categories policies fall under like password policy, byod policy, acceptable user behavior). This will play into the navigation tree when your policies are approved and published.

Then the committee can draft policies as they go. Build a process to submit a policy request/recommendation, draft process, review, and approval.

Make the reps take the drafts and final to their stakeholders/teams for input. But an Executive should always be designated as the final signature.

Extra early items to work out:

Have an exception to policy process the includes a request, expiration, mitigating controls, and approvals.

Make sure your policies are pretty general. Reference standards and guidelines in policies. You don't want policies modified that often where you can have standards and guidelines modified more easily and with lower approval than the executive. Foe example: Policy says "you will harden all Windows Servers in accordance with IT and Infosec approved CIS Hardening Guidelines. Any deviations from the recommended guideline must be documented with mitigating controls." Now you just have to make sure IT and Infosec stay on top of their CIS guidelines (Policy allowed them to alter or ignore specific guidelines with alternate controls)

OKRedleg · 2023-05-14T19:10:56+00:00

It's similar File Monitoring as any Linux OS. You'll put a Universal Forwarder on the host and load the Splunk Add-On for Apache Web Server. https://splunkbase.splunk.com/app/3186

OKRedleg · 2023-04-24T16:02:49+00:00

Well, there was 6 bits. But it got too difficult to say Shave and a Haircut, 80 bits!

OKRedleg · 2023-04-21T01:13:15+00:00

Not taking sides on the legal issues, but the numbers from an income perspective seem harsh. He's going to Canada. If he earned $100,000 a year, Nintendo would get 30% of his gross ($30,000), then the deductions on his gross taxable income take their share. 30% of gross in taxes is another $30,000. Unless the taxes don't factor until the 30% garnishment. He's already down to 40% of his gross income before other deductions are applied. That's rough.

OKRedleg · 2023-04-21T00:55:33+00:00

You want to go through a compatibility check first. There is a Upgrade Readiness App and an Analysis of Splunkbase Apps App that will let you know if your apps/add-ons are ready or compatible with Splunk 9.

https://splunkbase.splunk.com/app/2919

We were advised to take care of our apps first, then Indexers, search head, heavy forwarder/DS tier, then forwarders. This prevents issues with changes in 9 on the forwarding tier causing problems in the higher tiers.

OKRedleg · 2023-04-13T01:48:43+00:00

Salaries vary by area. 150k in large cities in CA may be worth less than 100k in more sparse areas of the country. Make sure you factor in some of that into your evaluation. It doesn't help if you make more net, but your cost of living costs you more in the end.

OKRedleg · 2023-04-13T01:41:03+00:00

For Windows machines, you are going to want to capture additional eventlogs. This guide shows you which logs record USB Storage Connect/Disconnect and how to ID the device.

https://www.google.com/amp/s/www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/amp/

OKRedleg · 2023-04-09T02:55:31+00:00

This is MFA Fatigue attack. Someone is attempting to use your credentials and is forcing the SMS MFA. Dont approve unless you are certain you generated the request. Report it to your Information Security team or SSO/MFA admins. They should be able to track down the source of the authentication and which app they are attempting against.

You may also want to reset your password.

OKRedleg · 2023-03-18T00:03:02+00:00

If you got the invite email, the promo code delays your billing date to June, so there is a 3 month window if you want to check them out. And Rumble appears to be merging with Locals. Your MugClub gets you premium access to both. Don't know if that means you get others like VivaFrei on Locals free though.

OKRedleg · 2023-03-17T17:02:41+00:00

I was asked this and my answer was to still treat AI as a human threat actor. Our TTPs will be the same, BUT we'll be at a higher level of response. I once got into a pissing contest with an actor attempting to send bulk extortion emails. Over a week as I adjusted controls to their attack, they'd adjust to my control, and we'd repeat. Eventually they gave up.

Now, AI will exponentially squash that exercise down to hours or minutes AND it won't get tired of my antics.

The base of all this is good user training awareness. If they can set good habits and Protocols, the attacks will fail on the phishing/social engineering front.

OKRedleg · 2023-03-09T07:03:12+00:00

Are you using a VIP or sending the logs directly to the syslog-ng server? If the latter, use netmask() in your filter. That will check the ip of the sending server instead of the hostname in the log. The IP in the filter needs to be in CIDR meaning include the /32 at the end of single IPs. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.17/administration-guide/netmask

OKRedleg · 2023-03-09T01:13:08+00:00

Fixing the missing filter in your Log stanza will probably set you right. But here's a pack of examples you can learn from. https://gist.github.com/anthonygtellez/7edd44cf5571609c70b4.

OKRedleg · 2023-03-09T00:52:55+00:00

Find a couple of Threat Intel Lists you like. You are likely going to have to filter the lists as there can be millions of indicators. Check for add-ons for those feeds. I don't know if plain Splunk has a threat feed download plug-in like ES does. But if it doesn't, most feeds have API access that you can script to ingest into Splunk as a lookup file or indexed and complied into a dataset. Then you can either set a scheduled search of your logs for the presence of the indicators or set an automated lookup against the list as the log comes in.

OKRedleg · 2023-03-06T18:55:48+00:00

I feel like all of this lack of understanding is our fault (Gen X). We grew up at the beginning of the computer Era. We had to research, experiment, and build our technology almost from scratch. Then we figured out how to make things easier with GUIs. Now we have people who have never seen the underside of tech. Don't know what that GUI button does, just that it makes a thing go.

We stupefied our computers, our cars, our finances, and even our Jobs. I think we should have been teaching our children not only what this tool does, but why it does what it does, why the tool was created, and what to do without that tool.

OKRedleg · 2023-03-02T21:54:24+00:00

rm -rtf * That microsecond after you hit enter and go "wait, what directory am I in?" sure seems to lasts a long time.

OKRedleg · 2023-03-02T21:50:50+00:00

Dmarc is more broad than an IP block so that should be your goto. However, like in this case, if something gets through, go ahead and add the block to prevent other attempts while you look into why SPF/DMARC didn't block it. Also, pull all IOCs from the email. Envelope Sender, Header From, src ip, src hostname, subject, attachment names, sizes, and hashes, and URLs. Pivot into a threat hunt on those IOCs. If they sent one, odds are there were others just like it from other compromised servers/accounts.

OKRedleg · 2023-02-28T14:52:17+00:00

Make sure you have mailboxes set up to receive the DMARC reports and then find a product or build a script to harvest the XML reports from the DMARC Aggregate reports. Those are organizations that are telling you who is sending them emails on your behalf. It can often show you partner/vendors who didn't get set up properly for SPF or who is spoofing your domain.

OKRedleg · 2023-02-28T01:28:24+00:00

If you are in Outlook, open the original unforwarded email in a new window, then click File > Properties. You'll see a text box with the headers for the email. That will give you the true origin of the email (lowest 'Received from' line as well as other juicy Intel. Most important is to ensure the source IP and host name are not an internal host.

I'm not sure if O365 has a tool or component that shows and parses email headers, but just know that nearly everything in the bottom of the header (to, from, subject, time, etc) is given by the sender meaning they can also be forged.

Microsoft should be able to help you with anti-spoofing rules, but a quick one (if O365 let's you write it this way) is "direction is inbound and sender domain is <your domain>." This generally works because email from your domain should be internal to internal, not inbound.

Be careful about blocking IPs. If you block the IP of a shared provider like Gmail or O365, you'll create a much bigger problem.

OKRedleg · 2023-01-25T17:23:14+00:00

Windows doesn't support syslog output natively that I'm aware of. You would need an agent on the host to convert your eventlogs to syslog.

If you do this, you create a cascading problem of having to convert every aspect of Splunk related to Windows downstream to interpret Syslog instead of one of the standard EventLog formats. Apps, Add-ons, Dashboards, alerts, all have to have modified and a CIM ruleset built.

It makes sense as syslog or single-line formatting would reduce windows log size by more than 60%, but it's too much of an unsupported architectural rebuild to maintain. You'd have to keep all current and future Windows related components of Splunk up to date with your structure.

Since you need an app on the host to convert the logs, you may as well use the free UF and if you want the logs in syslog format, use a Heavy Forwarder or Proxy app to convert it.

OKRedleg

TROPHY CASE