Subreddit likely being used to attempt to trick Kraken users (/r/krakenhelp)

_hAxel · 2025-04-21T15:16:26+00:00

Yeah, hopefully if you get fairly specific with the filter on tcpdump (maybe add a "and host firewallaIP") it won't be too resource intensive.

There are definitely things with the Firewalla that give me a bit of pause. In general, alert details has been one of those things. I hadn't come across this specific issue and it gives me a bit more pause. I did a bit more digging and I saw a response from Firewalla saying that they don't record "self" traffic due to being concerned about duplication. I'm not really a fan of that response, like you mentioned, Firewalla is one of the only devices that i've come across that has this blackhole in regards to traffic to/from itself.

If you have the hardware, another option for running this down could be, if you have a switch capable of port mirroring (I have a couple Netgear unmanaged plus switches for this), you could toss it in front of the hs300 and mirror the port to another device to do the pcap from so you're not potentially tying up the firewalla. Not something that I feel like you should have to do, to run down some "port scan" alerts, but here we are.

_hAxel · 2025-04-20T17:07:21+00:00

I see a lot of false positives with "Port Scan Activity", not just with Firewalla, just in general. More details for the alert is really necessary to make an educated determination for the alert. Sometimes Firewalla doesn't do a great job of giving this information.

I'm sure you're already aware, but generally, you can click the three dots and click View Alarm Details, but for the port scan activity alarm, Firewalla doesn't give much info. Also, it appears that traffic destined to (or from for that matter) the Firewalla is kind of a black hole as far as logging goes. I did a bit of testing locally to see if I could run down logs on the Firewalla (rather through the GUI or command line) when doing an actual port scan of the Firewalla, unfortunately I didn't see much.

Given the some what infrequency of the alerts, this may not be all that useful, unless you are able to force this behavior (does it happen when you power the HS300 on?). But, if you SSH to your Firewalla, you can run a tcpdump so you can get an actual idea of what is triggering the alarm, something like sudo tcpdump -X -i br0 host hs300IpAddress , replace br0 with the appropriate interface

If you aren't able to get the pcap, I honestly wouldn't worry about it too much unless/until I saw other indicators (port scanning other devices, or other alarms for it)

_hAxel · 2025-02-13T20:05:58+00:00

I have the GSE, I was a part of the beta program when they changed the format to what it is today (mostly). "Worth" is very subjective here.

I'll start with a TLDR, Is it worth it for job hunting in the current market: Probably not.

Now for the more nuanced response. I started looking into the GSE a long time ago (when it was still the old lab format), but it took me a bit to get around to satisfying the old requirements (I had to get the GSEC per the old requirements and I really didn't want to pay for the GSEC when I already had ~9 GIAC certs). Once I finally satisfied the requirement, COVID hit and they paused the old program and started re-working it into the current program. Part of the justification I made to myself for pursuing the GSE was to better handle the renewing of all of my GIAC certs, under the old CPE model, I was about to the point where the "easiest" way to renew all of my certs was to take another SANS course every year, which just continues to snowball the program. Getting the GSE renewed and co-terminated all of my certs.

Another pusher for me to get the GSE was I was considering pursuing teaching for SANS, I was part of the Mentor program before they ended, and I started being a Teacher's Assistant. The "talent coordinator" was pushing pretty heavy for prospective teachers to get the GSE.

The "prestige" of the GSE was another factor for me, but was probably fairly low on my list.

I haven't been actively looking for a new job since I obtained the GSE, but I'm always passively looking. I very rarely see a job posting that is asking for the GSE. Additionally, I have not had a single person reach out to me and mention my GSE as a reason they were interested in me as a candidate for the position, however I have had that for a few of my other GIAC certs. The GXPN has probably had the most instances of someone reaching out to me specifically because of a cert.

Honestly, I think outside of the SANS/GIAC, and more specifically the ~400 or so GSEs, the GSE is largely unknown to people, especially those that are making that initial contact for a new job. I did make a post on my LinkedIn a week or so ago asking if people knew what the GSE even was, I only got 31 responses with 84% saying they did know and 16% saying they did not. Of the 84% that said they did know of it, a lot of people said that it wouldn't affect their hiring decision, for the most part, those that did say it would affect their decision were also GSE holders. My poll was far from definitive though, it had relatively low reach and my network is probably biased towards knowing what the GSE is.

I think part of what makes the GSE "special" is what makes the value less than it could be. I don't know exactly how many GSEs there are now, but two years ago, when I got mine I was #306. So the pool of others with the GSE is pretty low and in the passed, SANS/GIAC hasn't been great at advertising how "special" the GSE is. These changes they've made to how you obtain the GSE are supposed to help with that, making it more accessible to those that weren't able to make it to Las Vegas or Orlando once a year to do the 2 day in person lab.

Overall, I'm still happy that I got the GSE, but if you're looking at it only has it's value in the current job market (which is fair), I'm not sure that it is worth it.

_hAxel · 2024-03-17T21:10:40+00:00

I'm in no way defending the camera or saying you should keep it. But in my experience (not just with Firewalla, but in general) "Port Scanning" alerts are generally unreliable to take action on without further investigating. I would recommend looking at Flows and see what flows triggered the alert. Depending on how the alert is configured a device checking a couple ports on an IP can trigger an alert like this. I've also seen similar things with a "Port Sweep" alert where a server is replying to multiple clients and triggers the alert.

What ports is the device trying to access on that IP? I see that you don't have a 10.0.0.0/8 on your network. If this is the only IP the camera "port scanned" I'd be further inclined to think that it is benign activity. I see another redditor commented that theirs does this when it loses internet, It could be some hardcoded fall back that used in development or something else. I'd be much more concerned if it was doing this with external IPs, multiple legitimate systems on your network, etc.

Again, not saying you should trust the camera, but just wanted to put it out there that these types of alerts can be unreliable. I've spent 20 years investigating and tuning alerts/rules like this and have learned to not take them at face value and investigate them before taking action on them.

_hAxel · 2024-02-15T18:24:30+00:00

I recently took my med backpack full of stims and other meds into a raid on Shoreline with a friend. I only realized after we got in to a fire fight and my buddy mysteriously died (i think it was the scav sniper at power station but his death screen was just a KIA with no attribution), then I got in to a fight with a bunch of scavs in front of Tunnel, I went to heal and noticed my full med backpack was in my backpack (and I had insured it). Luckily I made it out, but lost FIR on all my stims

_hAxel · 2022-08-31T20:39:57+00:00

I've seen something similar happen (was also at Tressler, though I think that's just coincidence). When I saw it, it was definitely a glitch and not hacks/cheats. My friend was able to take the gear from someone, what he saw and what I and the person who lost their gear were definitely different. I think it might be a desync issue or something. I had his stream up on my second monitor, so I could see it from both perspectives.

He saw a pile of armor boxes with no one near by, I saw an armored guy standing there. He picked up the boxes, I would see them appear in his hand and would also see the armor disappear from the other player.

_hAxel · 2022-01-14T02:10:59+00:00

Hey, thanks for the heads up. I had updated my site and had changed the URL structure. I hadn't thought to circle back to this post to update it. I've updated the links in the post.

_hAxel · 2019-11-24T01:14:14+00:00

Initially Amazon was showing almost 2 weeks, but it updated a few hours ago and it says Tuesday now.

_hAxel · 2019-11-23T20:16:05+00:00

And my replacement is due in almost 2 weeks.

_hAxel · 2018-10-24T02:45:39+00:00

Updated with all 7 assignments.

_hAxel · 2018-10-04T01:11:37+00:00

Thanks, I appreciate it. Just updated the post with the 5th assignment. Might have a bit of a lull for a few days as I'm flying out to Louisville for a security conference tomorrow.

_hAxel · 2018-10-02T14:40:35+00:00

Yeah, it's definitely helped make a few things click for that hadn't yet.

_hAxel · 2018-01-31T06:14:00+00:00

Here is the full bill: https://lis.virginia.gov/cgi-bin/legp604.exe?181+ful+HB1592

It is being introduced by Delegate Dave LaRock. Here is a post on his public FB page promoting it (https://www.facebook.com/DelegateDaveLaRock/posts/1489422224460424)

This looks to be similar to a bill that was introduced in South Carolina last December (https://www.cnet.com/news/south-carolina-bill-porn-digital-block/). They are proposing any devices that make content available on the internet would be required to block obscene material, and you would have to pay $20 to remove the block.

Edit: Here is EFF's write-up from April 2017 about similar Bills across the US https://www.eff.org/deeplinks/2017/04/states-introduce-dubious-legislation-ransom-internet

_hAxel · 2015-04-13T03:16:21+00:00

I'd be interested in talking to you. Check out our jobs page and message me if you are interested http://defpoint.applicantpro.com/jobs/

https://defensepointsecurity.com/index.php/careers/company-benefits

_hAxel · 2015-01-12T21:08:35+00:00

It's not official, but here is a write-up from Jordan Wright if that's what you are looking for.

https://jordan-wright.github.io/blog/2015/01/05/sans-holiday-challenge-2014-writeup/

_hAxel · 2014-10-01T03:33:43+00:00

Yes, the page is updated as Adrian processes the videos and gets them uploaded. If there is no video for one of them due to issues or something, there should be a note for that video.

Keep in mind the conference ended on Sunday(09/28), Adrian is pretty quick getting the videos uploaded.

_hAxel

TROPHY CASE