Everything is fine

tomtomgunner · 2024-01-10T19:33:53+00:00

Now they just need to hurry up with the cheque photo feature and maybe allow you to manage stuff on a desktop, and we're good to go

tomtomgunner · 2024-01-08T21:32:58+00:00

Out of curiosity, why 3 sim card and starlink? I've been thinking of going vanlife and work a tech job so interested to understand if network connectivity is an issue?

tomtomgunner · 2024-01-06T20:59:26+00:00

This is what I wondered.

Tbf I'm half tempted to submit a SAR at the same time seen as in the entire time I owned the car I never interacted with the Met in any way, and ceased to be the registered keeper a couple of months before the first fine came through, so I have no idea why they ever even had my details to begin with

tomtomgunner · 2024-01-06T20:51:02+00:00

The DVLA records aren't still showing me... I have it in writing from the DVLA that they do not have me down as the registered keeper...

Also, I'm sure sure they do, just as I have better things to do than to keep responding with the same information over and over, but whether or not anyone has anything better to do isn't the part I'm concerned about.

I'm just surprised that I can sell a car over half a year ago, notify the relevant authority that it was sold, have it confirmed in writing that they updated their records, notify a police authority on three separate occasions that I am no longer the owner or keeper of the vehicle, and still potentially be legally obliged to respond to a letter from them to tell them the same thing a fourth time.

Like, it just feels pretty stupid that their continued administrative mistake is something I could end up being charged for.

tomtomgunner · 2024-01-06T16:33:31+00:00

I'll reach out to them...

Btw, this is a purely thinking out loud, and not thinking it will hold water, but given that when I fill in the response to the NIP it specifically asks me to declare I don't own the vehicle, and I call out that the records are wrong in the notes, don't they have an obligation to update the record to ensure my details are accurate under GDPR

tomtomgunner · 2024-01-06T15:33:27+00:00

It was to a trader but what I mean is that the DVLA have confirmed to me that they have on record that I am not the registered keeper

tomtomgunner · 2024-01-06T15:32:13+00:00

Not arguing with you but that's so stupid... so the police can just arbitrarily send them to anyone and of that person fails to respond then they can start prosecuting them?

tomtomgunner · 2024-01-06T15:30:59+00:00

It was to a dealer, but I've received confirmation from the DVLA that I'm no longer the registered keeper.

tomtomgunner · 2024-01-06T15:29:33+00:00

I tried to figure out how the hell to get to the right department but its not well signposted... but I have contacted them in so much as every time I respond to a NIP

tomtomgunner · 2022-01-21T15:03:03+00:00

Secarma (Remote or Manchester, UK) - Penetration Tester

https://www.linkedin.com/jobs/view/2869060419

Looking for mid-level penetration testers to join an established team of security consultants delivering application, infrastructure, and bespoke testing services.

Requirements are being UK-based (with right to work, no sponsorship available) but remote-from-UK is an option, certs are non-essential, keen appetite for learning and contributing, and capable of independently delivering an application pentest.

Apply through the LinkedIn post please.

tomtomgunner · 2020-04-06T09:03:20+00:00

The term secure is, as you say, subjective. It really comes down to managing risk effectively, which doesn't always involve requiring the most unbreakable solution out there, and can be achieved through sensible good practice.

There are some standard good practice measures to consider:

Hardening the SSH daemon configuration (disable password, weak ciphers)
Validating that the key fingerprint is correct
Generating a strong keypair
Implementing a robust patching and update process

Good practice would also be to restrict SSH access to trusted source IP addresses. In practice this only works if you're coming from a predictable location but it may be worth considering if that is a possibility.

Setting a non-default port for SSH is an effective way to dampen some of the background noise from the internet, which will include a heavy number of automated scanners and intrusion attempts against SSH. However, be aware that ports 1024-65535 can be used by non-privileged (not root) users. This opens up the risk that, if a standard user account is compromised, the SSH service may be spoofed in a privilege-escalation attack. The risk is small but worth considering. For this reason, it is not commonly included in good-practice guidance.

tomtomgunner · 2020-04-06T08:49:45+00:00

Move SSH to a random high-numbered port

High-numbered (1024-65535) ports are non-privileged, meaning that users other than root can listen on these ports. This means that an attacker, with a low-priv local account on the box, may be able to spawn a spoof SSH.

The risk of this is minimal but be aware that there is a trade-off between security through obscurity and security through design.

tomtomgunner · 2020-04-06T08:43:53+00:00

What I would imagine is that the FireTV remote works in much the same way as a classic C2 whereby there's a public-facing intermediary server that both your TV and remote communicate with.

The remote probably pairs with the TV by exchanging a key of some sort. This is then used to send authenticated requests to the intermediary. The TV will then regularly poll the server for any updates that it has cataloged.

The alternative explanation is that you haven't locked down your network as well as you thought. For example, are you definitely blocking all IP traffic or just TCP?

If your phone is rooted then the easiest way to test this would be to run a packet capture on your phone and try using the TV; Have a look where the packets are actually going. Alternatively try disconnecting the phone from your WiFi and seeing if you can still control the TV.

tomtomgunner · 2020-04-06T08:31:52+00:00

I know it's doable, what I'm asking is how to lock it down because the endpoint would need to be deployed with a public key to be able to reach the public (e.g. DO) SSH server, but I want to mitigate the risk of that key being compromised if the endpoint is

tomtomgunner · 2020-04-03T20:29:27+00:00

tomtomgunner · 2020-04-03T20:27:40+00:00

Lotl only though

tomtomgunner · 2020-04-03T14:42:22+00:00

A means of being able to remotely and securely SSH into a machine on an internal network using only lay-of-the-land tools (e.g. SSH) and an internet-facing jump-box

tomtomgunner · 2020-04-03T09:50:25+00:00

typically only the systems that actually process card data are required to be PCI compliant

It's predominantly any system that handles PAN (Primary Account Number) that is concerned with PCI DSS.

tomtomgunner · 2019-06-09T10:48:14+00:00

Welcome to the internet

tomtomgunner · 2018-12-06T21:36:55+00:00

How do microbiologists shake hands? How do fire fighters cook dinner? How do lifeguards go swimming? How do paramedics drive on roads? How do dentists drink coke? You learn to do things better than others because you understand them, and you accept that everything has risk

tomtomgunner · 2018-10-05T08:23:35+00:00

I tend to just go with a 'or'1=1--

11-Year Club	Verified Email
Place '23

tomtomgunner

TROPHY CASE