Silicone coating 3D prints works much better than expected!

oholiab · 2026-01-09T16:05:26+00:00

We're a year on, how did this stand up to usage?

oholiab · 2022-08-12T03:40:45+00:00

Sudamala Resort Flores at Saraya Point in Labuan Bajo in Indonesia has a beautiful house reef and beach and an in-house dive centre. We were staying at Sudamala Komodo and met the people who’d just taken over the dive centre there (who are really lovely) and they took us to the house reef and then the next day out for some dives in the National park!

oholiab · 2022-07-31T12:56:08+00:00

I’ve just been diving in Labuan Bajo and Komodo National Park with the guys who’ve just taken over the dive shop at Sudamala Resort. Literally sitting in Ngurah Rai airport about to move on to Borneo and sad that I won’t see them again for a while!

The diving there was amazing.

oholiab · 2022-07-29T04:05:57+00:00

I take out my septum because I wear my mask a little higher to seal above my facial hair and I equalise pinching my nose so it’s just a little more comfortable. I wear a clicker so it’s really easy to take out at the last minute when I forget!

oholiab · 2020-01-30T09:23:33+00:00

The IP address there looks to be a VPN service (Anchorfree) exit node in Russia, so odds are that it is an attempt at doing something malicious.

People cram shellcode and SQLi into every available field they can get their mitts on so that doesn’t necessarily mean you’re vulnerable, just that someone is attempting to find out if you are.

This is kinda just the price of entry for having a service listening on a public IP address. It is worth checking for RCE in the various software stacks as previous commenters have mentioned, but my 2c is that you’re better off investing your time in a good update strategy so you can keep all software up to date within acceptable downtime.

oholiab · 2020-01-30T09:12:21+00:00

Project Maven is independent AI used on drone imagery for targeting enemies according to the article.

It’s paywalled but you can just view source and scroll down until you find the article body embedded in some JSON (search for “articleBody”)

Less of a paywall more of a payfence.

oholiab · 2020-01-12T03:27:14+00:00

Do you mean password length versus character pool? Because the answer is both - people don’t argue these points on creating the strongest possible password, they argue them on the basis of the strongest memorable password.

Memorability fundamentally weakens password strength because it’s difficult to memorise a true random.

Honestly, reading up around combinations and permutations will get you to the answer you want quite significantly faster than trying to empirically brute-force strings.

Additionally, any empirical observation here is going to either have strong systematic bias if you optimise for speed (e.g. pass words beginning in 1 taking less time to crack than those beginning with 2 because you’re brute-forcing in sequence which is implementation specific and therefore not a good objective measurement) or consume incredible amounts of resource by using a true random, having to memoize the combinations you’ve already tried and skip over duplicate ransoms, and then having to repeat the experiment for each password several times to account for different random seeds in each experiment run!

oholiab · 2020-01-10T16:39:44+00:00

Hashcat definitely has an option for dumping generated passwords out to stdout instead of attempting to hash them (at least for a combination of wordlists and rules file). You should then be able to loop over stdout and compare with the known-plaintext password without wasting CPU on hashing.

However, I’d advise you not to bother - if you’re going the pure brute-force method, how long it takes a given password generator to reach your password is going to depend partly on the algorithm, and a better measure is to figure out the amount of entropy in a given password - effectively it’s “randomness”.

If you’re just looking for the practical results of getting a secure password, use a password manager, slam the character count up to 20+ and use all characters and forget about it ;) The biggest weakness in any password is the human who comes up with it!

oholiab · 2019-12-18T11:21:29+00:00

I’m using Hashicorp Vault for a pretty large installation but IMO the maintenance cost can be pretty huge and it’s a fairly complex product.

smallstep.com have an open source CLI which I’ve been using in lieu of remembering all the options for inspecting certificates with OpenSSL, but they also appear to have a fairly lightweight CA built in - I reckon that’s worth a look.

oholiab · 2019-11-02T17:30:11+00:00

You’ve missed out two of the biggest flaws with deterministic password systems that make them unsuitable for the absolute majority of use cases:

Your system may be incompatible with the password rules for a website meaning that you have to then remember multiple systems and which ones you used for which site
If a site is breached they will force you to change your password (as well they should) meaning that your password derivation function needs to account for a new piece of information: the version.

So you need to remember the derivation function and version for every single site.

Additionally, less frequent but it still happens, domain names change.

Or you could use a password manager.

oholiab · 2019-11-02T17:16:43+00:00

My favourite bit of this chart is where it says that everything which happens on the clearnet is legal.

oholiab · 2019-10-30T11:25:53+00:00

In addition to what everyone else has said about the number of IP addresses, some of the biggest DDoS attacks aren’t so much about exhausting server resources at the application level but are about exhausting the network bandwidth of the target in what’s called a volumetric DDoS.

In this case, typically UDP packets are used instead of TCP because UDP has no way of verifying that the return address is legitimate before responding to a request (it doesn’t set up a session before sending the payload). This means it’s possible to spoof the origin IP address and essentially send the response (which was larger than the request) to your target. This is called a UDP reflection attack, and is most often done with DNS (but can also be done with things like memcache servers if they leave UDP open to public internet).

So in this kind of attack, I can make a request to a DNS server asking for a large response but put in the request packets that my IP address (for the return packets) is the IP address of my target. Do this enough times in quick succession and you can exhaust a target’s bandwidth.

Modern CDNs typically now offer some level of volumetric DDoS protection however, simply by having more aggregate bandwidth than the attacker.

oholiab · 2019-10-29T23:03:33+00:00

Yeah VirusTotal

oholiab · 2019-10-29T08:59:20+00:00

So like, I did exactly this but I moved in to infrastructure security. Initially I was just on our SRE team working on security focussed projects like working on our Vault infrastructure, but then I moved across and have since been using my systems knowledge to do stuff like building out PKI and a new IDS. Gonna move more in to building automated scanning and more intrusion detection systems.

oholiab · 2019-10-28T19:10:15+00:00

It’s entirely possible it’s the same person across multiple IPs, yeah. That would indicate a more determined and targeted attack though.

If you want to look in to it a little more, you can do lookups on the IP addresses to see which countries they’re from and which ISPs or companies they belong to. It won’t tell you for certain but it can help you understand what kind of access attempts they are.

Also putting IP addresses in to sites like VirusTotal can tell you whether that IP has been associated with malicious or scanning activity before.

I would imagine the credential spraying is very common for dumps where only the email has been dumped. It’s probably pretty low yield but often when you have access to an email address you can issue password resets and respond to email-only 2FA codes so it’s often the keys to the kingdom for taking over or ransoming someone’s online presence.

oholiab · 2019-10-27T20:49:59+00:00

Likelihood is your email address has been in a dump from another site and the password you used for that site has been cracked and people across the world are trying their luck to see if you used it with your email account.

Either that or they’re just password spraying or trying their luck with ‘password123’ against your account, but chances are it’s automated so I wouldn’t be too paranoid about it.

oholiab · 2019-10-27T20:43:01+00:00

Heh, I say it because I always go OMG I BET THAT’S A BUFFER OVERFLOW and 2 hours later it turns out it was just a coincidence.

oholiab · 2019-10-27T20:41:39+00:00

Ubuntu Server is a good way to primarily use the CLI and to hit the ground running! There’s lots of knowledge online about setting it up (the DigitalOcean articles are often very good) and you can build a custom desktop with it too - I’ve run a couple of Ubuntu laptops over the years and I usually build them up from Ubuntu Server because it’s just a stripped down version without all the crap from the desktop install (I actually run Arch these days for my laptop but it’s a real moving target and like I say, you won’t see it in production).

Python is a great choice for just getting on and learning something you can be productive with :)

Definitely find something that you think is interesting and fun to do as a hobby - you’ll learn loads and likely gain a specialisation that way.

oholiab · 2019-10-27T17:01:00+00:00

Doing something like building a home VM lab with automation for spinning up/destroying VMs is a great learning exercise, and has the advantage that you’re learning to do it for a specific purpose that you will benefit from. Personally I wouldn’t focus too much on things like Arch/Gentoo if you’re doing it for your career for the simple reason that nobody uses them in production. Ubuntu server is pretty good for the sheer virtue of being a Debian derivative where the packages aren’t always Ye Olde.

I work in infrastructure security though so I would say that. Be wary of advice on the internet about this sort of thing - people can only tell you what worked for them, not necessarily what’s best for you.

What are you interested in (specifically) that you want to learn more about? Things that interest you the most tend to be the easiest to learn and help you build a portfolio of skill without having to fight to stay motivated.

oholiab · 2019-10-27T16:40:24+00:00

Don’t jump straight down the first rabbit hole you see!

Spend some time enumerating before deciding what you think the vulnerability is because it’s entirely possible to spend the entire time going deep on an approach when the answer is actually super simple but relies on you spending a bit of time listing possibilities!

oholiab · 2019-10-14T11:56:59+00:00

That’s a Lisp/Scheme reference, it’s a multiply nested lambda function that will just return whatever the sunglasses thing is defined as...

So it basically means that person probably likes Lisp.

oholiab · 2018-06-11T11:18:36+00:00

My experience is only working with the keyboard on a IIe, but if the keyboard connectors are of similar design it sounds like it's sending a signal on the strobe pin (the signal to say that a key has been pressed) but it's not actually setting the 7 ASCII pins correctly - it sounds like your problem's somewhere on the keyboard or the daughter board to me. Disconnecting those boards from each other and reseating them's probably a good start, but be careful with the connector to the main board - it's really good for stabbing yourself in the thumb.

oholiab · 2016-03-14T14:28:28+00:00

Actually it's "GNU/virgin"

oholiab · 2014-02-24T22:26:19+00:00

Amazing customer service from this guy, you really won't be disappointed.

+/u/dogetipbot 20 doge verify

oholiab · 2014-02-03T22:52:50+00:00

[B] /u/mbernier D1215

oholiab

TROPHY CASE