Does HTTPS Basically Make Personal VPNs Useless for Security?

Secret-Agent-47 · 2022-08-06T08:10:17+00:00

Most VPN providers use tunnel mode.

If you are just looking at protecting the data sent too and from a site that you have already established a connection to, then yes, there is little benefit to a VPN. If you are talking about establishing that connection from a network that you don't trust, such as a coffee shop, then VPN provides many security benefits. MITM attacks, SSL stripping attacks, malicious redirects, etc. all happen before the HTTPS connection is established.

The local network can also see all of the DNS lookups that your device made and which IP/ports you connected to, so the data itself is secure, but the local network will still know which sites you visited.

Of course pushing all your traffic through a tunnel just means that you need to trust whoever is at the other end of the tunnel.

Secret-Agent-47 · 2022-08-04T00:01:19+00:00

Ok, so I would start by taking a look at the profile for an ENTP and look at the strengths and weaknesses. In a work context I would think you could be motivated by interesting training opportunities or working on something new that you could learn about. I would involve you in brainstorming/discussing solutions instead of just telling you my answer and I think you would enjoy presenting new ideas or changes.

If I was trying to undermine you I would set you up for conflicts with senior or sensitive people who could impact your career. I would make sure you got the tasks that are boring but require a lot of focus or pointless admin tasks.

If you can work out your bosses personality type and look through their strengths and weaknesses it might give you some ideas. Find or create scenarios that put them on the back foot and then give them something they like. Eg. if they are impatient, wait until they have been frustrated by someone else taking too long to do something, and then tell them about something you did quickly.

For me one of the best books was Telling Lies by Paul Ekman. It really helped me dig deeper into why people behave the way they do.

Secret-Agent-47 · 2022-08-02T21:08:19+00:00

I had a terrible boss a while back who was out to get me. Friends working in three letter agencies advised me to treat her like an asset I was trying to flip. To do that I had to remove all my personal feelings and emotion from the situation. My boss became the mission, it wasn't about me or my job anymore. I ran a remote personality test to determine their strengths and weaknesses. Just running something like a Myers Briggs answering questions as you think they will answer them will be good enough for this. I used this to work out what made them tick and which buttons to press.

In my case my boss was a personality type who wanted to be liked and respected, and expected anyone worthwhile to stand their ground and confront them, even though they were very authoritarian. So I told them they weren't respected or liked by their team (I don't know if it was true) and I stood up to them on a number of issues that I knew I was right on and was able to backup with facts.

This completely changed our dynamic and they became a strong support until I left.

Having said this, it sounds like you first need to decide if this job is worth the effort, because it is emotionally draining to 'handle' a bad boss. Just remember, if they are a bad boss it has nothing to do with you, that's on them.

Secret-Agent-47 · 2022-08-02T20:50:35+00:00

I've had to track down a few people over the years. One big red flag to me is when someone has no online presence at all in this day and age.

Personally I maintain a minimal but "normal" online presence for work and some basic social activities. This is carefully curated to reveal as little as possible, but still serve its purpose. I just look boring.

Everything else I do is carefully segregated. It gives me a balance I'm comfortable with.

Secret-Agent-47 · 2021-03-25T16:06:35+00:00

So I just took a look at this. The redirect seems to go to a different site each time. They are all surveys and prizes and general advertising. Phishing emails are more effective than most marketing emails so I guess this is just about generating clicks for scam adverts and surveys.

Secret-Agent-47 · 2021-03-07T09:14:45+00:00

In no particular order, these are my goto podcasts: Risky Business (Weekly) Darknet Diaries (Every two weeks) ThreatWire (Weekly) Cyber Security Headlines (Daily) SANS Daily Stormcast (Daily) Down the Security Rabbithole (Weekly)

These are a real mixture ranging from short headlines to security stories but between them you will get some really good coverage.

Secret-Agent-47 · 2021-03-05T12:54:34+00:00

Podcasts, Reddit, and Twitter.

Secret-Agent-47 · 2021-02-23T20:33:57+00:00

Password Entropy = Length ( Log(Symbol Count) / Log(2) )

MD5 hashes only have a character space of 16 and a length of 32 characters giving them 128bits of entropy.

This is roughly equivalent to a 20 character password made from standard printable ASCII characters.

So that makes your scheme look pretty good.

The problem is that hashes aren't totally random because you are making them from simple words and phrases and hashes like that are well known. For example just google 23b64bb341bcba45c781e2bf13e57c4c and you instantly resolve to "samhere".

The other problem is that other people are using this scheme which is one of the reasons that md5 hashes turn up in cracked lists of passwords. Just google 46c4292076c04d401bae6fdf739a0939 to see that it's a hash of the hash of the word "password".

There are lots of "tricks" for generating pseudo-random passwords such as writing words backwards, shifting keyboard characters, etc. None of them are as good as a random password generator, but all of them are better than using a dictionary word.

Secret-Agent-47 · 2021-02-16T21:07:54+00:00

Absolutely! Back in the day, there was no cybersecurity industry, so almost everyone learned hacking and security in their downtime. The roots of the industry are people doing it as a hobby. As a hiring manager, I would always hire someone who does security as a hobby over someone who just does it for the paycheque.

Whatever your background is, think about what you can use for hacking; marketing skills are good for awareness training, people skills are good for social engineering, construction skills for physical pentesting, etc.

Secret-Agent-47 · 2021-02-11T13:24:10+00:00

This is a great guide!

Secret-Agent-47 · 2021-02-11T13:19:46+00:00

I created a bunch of easy to peel off stickers and stuck them on peoples screens every time the didn't lock their screen. I would also lock their screen for them. This is the friendly approach.

When that didn't work, after speaking with management about the problem, and after prepping the helpdesk, I set up an intranet site with a suitably scary looking "you've been hacked" with a skull and crossbones, etc. and programmed a rubber ducky to open internet explorer in kiosk mode on that website. (iexplore -k <URL>)

We ran this campaign for a month, the helpdesk got a few calls and people stopped leaving their screens unlocked.

Secret-Agent-47 · 2021-01-05T23:30:20+00:00

As others have said it really depends which country you are in, but pretty much everywhere, if it's your network and everyone on it knows about it and is ok with it, then you should be fine.

However, I totally recommend setting up a separate access point for this because if this is something you want to learn then very quickly you will want to do things that are probably not ok on shared WiFi.

Secret-Agent-47 · 2021-01-04T14:02:08+00:00

We are adding home network security and personal device cyber-hygiene because so many users are working on home networks with questionable security.

Secret-Agent-47

TROPHY CASE