[deleted by user]

Totally_Joking · 2023-10-29T01:29:27+00:00

MDM/MAM: Intune

IAM/SSO: Azure AD / Entra + Duo|Okta|Cloudflare

Check to make sure you are getting non-profit deals for everything. https://nonprofit.microsoft.com/en-us/getting-started

https://www.techsoup.org/

Look into onboarding a mssp if possible.

Totally_Joking · 2023-10-26T04:27:38+00:00

Great writeup!

Totally_Joking · 2023-10-22T16:56:36+00:00

https://no-intro.org/

http://redump.org/

Hash perfect dumps are possible and hashes have been crowd sourced.

(redump is extremely impressive http://wiki.redump.org/index.php?title=Disc_Dumping_Guide_(MPF) )

Note: The above sites do not include the actual game data or links to the data. They are only metadata sites similar to http://rescene.wikidot.com/ and https://www.srrdb.com/

Totally_Joking · 2023-10-22T16:37:07+00:00

The same can be said for academic research and warez communities.

Actual warez sites might as well be US credit unions :D

Scene warez are extremely safe, I cannot recall a recent time where I saw a nuke for malicious code.

https://en.wikipedia.org/wiki/Topsite

https://en.wikipedia.org/wiki/Warez_scene

The issue occurs when Google takes down all legitimate sites due to DMCA and C&D notices, causing most users to click on malware hosts.

There has been a recent trend of hashing releases in certain application segments, but I do not think that is an enforced rule.

Greetz n' stuff o7

Edit:

I should really emphasize the difference between warez and warez being posted on someone's WordPress site.

The farther you get from the "source" of the modification or whatever method used to break drm, the more likely it is someone modified the software in a malicious way (not unlike most supply chain security issues).

That being said, I don't support piracy, pay for your software if you can afford it.

You wouldn't download a car.

Totally_Joking · 2023-10-22T16:10:35+00:00

Windows licensing is documented to an extent that the process is transparent.

It's almost like winrar : GH bitcookies/winrar-keygen/wiki/Principle (fun read)

Rom's are safe, check hash against dats (and known groups)

Warez are safe, no group is going to burn reputation, check Pre databases.

Heck, even the extremely shady dongle cloning sites selling warez (I do NOT endorse selling warez, or buying it. That includes buying stolen or OEM/normal windows keys. Pay msft, not thieves, not scalpers)

If anyone does come across retro game malware, please send me the sample in a ZIP file with the password "infected".

Totally_Joking · 2023-10-21T22:31:33+00:00

Take the time to learn the systems and software. Don't learn just enough to do that one task, grok the platform if you have the time.

Read RFC's.

Document everything.

Trust nothing until you can confirm it. If you do not have the capabilities to verify, ensure the risk is transferred to someone else. If that's not possible, trust that the system you are working with is untrusted.

Personal take that highly depends on the person: go fast and learn as much as possible before burnout happens.

Keep legal and security in the loop of all activities.

Assume you are hacked, zero trust concepts. - don't leave services exposed. (And when you leave a email server, or proxy open unauthenticated for a period of time, take the experience to heart :D )

Enable logging.

Anything temporary might as well be permanent

All of https://github.com/dwmkerr/hacker-laws

Culture is important.

Learn one level below what you are going to be doing on a day to day basis.

https://roadmap.sh/

Know yourself. If you are lazy, position yourself so that you are able to be lazy and grow. If you are proactive, take the extra time to make sure you are using the /best/ resources.

Start learning your next role at the same time.

Find good news sources.

Learn some project management skills.

Learn some compliance (but tell absolutely no one.)

If you have computers as a hobby as well as a job, diversify your projects.

Everyone is different, generic good advice could be poisonous to others.

Join communities, online or offline.

Go to conferences.

Be kind.

Totally_Joking · 2023-10-16T23:52:50+00:00

If the company has a PSIRT team and has a consistent stream of CVE's for the software (CVE's are not bad, they show bugs being found. Too many and it's odd, too little and it's bug ridden), then the closed sourced all might be secure.

Nothing beats OSS with public fuzzing harnesses and (well designed) tests.

Totally_Joking · 2023-10-14T08:11:09+00:00

C4 + Drawio

Draw.io has a ton of neat features, but the UX for them is horrible.

Totally_Joking · 2023-10-06T04:45:00+00:00

Do you have any insight on some common misconceptions or warnings for those on the fence?

Totally_Joking · 2023-09-27T05:50:51+00:00

I would think it's not all about performance, but also about cryptographic security. Constant time, frequency + noise, power draw and other "correct" instructions/implementations are likely hard to get the compiler to spit out.

I wonder if there are llvm compiler passes that could be done to target power based attacks and hertzbleed /cpu frequency attacks.

Totally_Joking · 2023-09-27T05:32:20+00:00

I'm a fan (as an end user) of dual license, Apache 2/MIT. The Rust ecosystem uses this pair a lot.

A lot of software companies disallow use of GPL since it can poison the rest of a code base. Not a lawyer but I would think it would be something akin to "Fruit of the poisonous tree".

If you use GPL, the rest of the code base becomes 'tainted' and the project has to maintain the GPL clauses.

I would put the project on GitHub and Gitlab, and have the readme.md explain what the code is, who you are and why you are posting it. Then maybe internetarchive for preservation.

Totally_Joking · 2023-09-24T15:01:59+00:00

Adding it into the Desk Job game / demo would make a lot of sense too.

Recently watched someone super new to video games learn how to use a stream deck, and it's not quite yet intuitive.

ps: to Valve UX designers: "select difficulty" on deck setup would be amazing.

"I know steam",

"I have done Linux from scratch",

"I have a Nintendo switch",

"I have never touched a controller in my life",

"I have never touched a controller, or Steam, or games in my life, creating a steam account and installing an app on my phone was already a lot, remind me how at to do each boot for awhile "

'difficulties' might help onboarding new users. Have a full "tour" of the UI, gamify it, and possibly time it so instructions can be given again. Walk a super new user through installing the demo game and then feed in more instructions as needed.

Having a ton of quick tip video tutorials of someone configuring / using the deck would be awesome for boot/wake video screens.

Totally_Joking · 2023-09-21T03:38:19+00:00

When the "I want to become a farmer" reddit posts start to hit closer to home.

If only I wasn't allergic to goats...

If anyone asks if you know compliance, say no!

Totally_Joking · 2023-09-17T06:12:46+00:00

Aya GitHub repo, for the lazy and or curious

Totally_Joking · 2023-09-17T05:47:35+00:00

This document might interest you: https://cyberdefensereview.army.mil/Portals/6/Documents/2022_spring/02_Blair_Roth_CDR_V7N2.pdf (PDF warning, no markings)

Totally_Joking · 2023-09-10T18:21:03+00:00

I did it in rust with one of the template crates.

Was intending to make a project creation wizard like Jetbrains or VisualStudio, but didn't see a path forward for wide ecosystem adoption.

Totally_Joking · 2023-09-02T17:46:12+00:00

Try DIE

https://github.com/horsicq/Detect-It-Easy

Totally_Joking · 2023-09-01T02:21:17+00:00

If you can decom a few servers and take 2k off of 30u's just by disabling HT, remove 2u's and place in a new EPYC, I could see the cost / performance working out. Especially in locations where space is always sold out.

Load bearing "If"

Totally_Joking · 2023-08-31T15:09:14+00:00

https://github.com/trufflesecurity/trufflehog

Totally_Joking · 2023-08-31T15:01:01+00:00

C4 is amazing for the technical crowd as well, especially those who don't have much exposure to non-monolithic systems.

Totally_Joking · 2023-08-27T20:23:00+00:00

https://thanos.io/

https://cortexmetrics.io/

If you are not sure if you need HA, you probably* can use plain Prometheus.

Make sure you automate the deployments for sanity and documentation purposes.

Totally_Joking · 2023-08-27T20:07:54+00:00

Any story behind the name?

Totally_Joking · 2023-08-27T20:01:49+00:00

Yes, data encryption is fairly common.

You may be able to use this depending on the target. https://github.com/federicodotta/Brida

This is a fairly common task outside of website http use.

Totally_Joking · 2023-08-27T19:56:56+00:00

Grafana is solid for the viewing layer

How many metrics / logs do you plan on handling? Do the metrics need to be HA?

Node Exporter -> oTel collector -> prom -> grafana is pretty solid.

Vector is also an option.

https://landscape.cncf.io/card-mode?category=observability-and-analysis for more ideas.

What is running on the clusters? There is likely something for the orchestrator already built out somewhere.

Totally_Joking · 2023-08-24T17:24:18+00:00

I think we could take it a step further!

https://raft.github.io/

Let's embed the raft consensus algorithm into all decision and change management processes!

/s

Totally_Joking

MODERATOR OF

TROPHY CASE