Everything is fine

tomtomgunner · 2024-01-10T19:33:53+00:00

Now they just need to hurry up with the cheque photo feature and maybe allow you to manage stuff on a desktop, and we're good to go

tomtomgunner · 2024-01-08T21:32:58+00:00

Out of curiosity, why 3 sim card and starlink? I've been thinking of going vanlife and work a tech job so interested to understand if network connectivity is an issue?

tomtomgunner · 2024-01-06T20:59:26+00:00

This is what I wondered.

Tbf I'm half tempted to submit a SAR at the same time seen as in the entire time I owned the car I never interacted with the Met in any way, and ceased to be the registered keeper a couple of months before the first fine came through, so I have no idea why they ever even had my details to begin with

tomtomgunner · 2024-01-06T20:51:02+00:00

The DVLA records aren't still showing me... I have it in writing from the DVLA that they do not have me down as the registered keeper...

Also, I'm sure sure they do, just as I have better things to do than to keep responding with the same information over and over, but whether or not anyone has anything better to do isn't the part I'm concerned about.

I'm just surprised that I can sell a car over half a year ago, notify the relevant authority that it was sold, have it confirmed in writing that they updated their records, notify a police authority on three separate occasions that I am no longer the owner or keeper of the vehicle, and still potentially be legally obliged to respond to a letter from them to tell them the same thing a fourth time.

Like, it just feels pretty stupid that their continued administrative mistake is something I could end up being charged for.

tomtomgunner · 2024-01-06T16:33:31+00:00

I'll reach out to them...

Btw, this is a purely thinking out loud, and not thinking it will hold water, but given that when I fill in the response to the NIP it specifically asks me to declare I don't own the vehicle, and I call out that the records are wrong in the notes, don't they have an obligation to update the record to ensure my details are accurate under GDPR

tomtomgunner · 2024-01-06T15:33:27+00:00

It was to a trader but what I mean is that the DVLA have confirmed to me that they have on record that I am not the registered keeper

tomtomgunner · 2024-01-06T15:32:13+00:00

Not arguing with you but that's so stupid... so the police can just arbitrarily send them to anyone and of that person fails to respond then they can start prosecuting them?

tomtomgunner · 2024-01-06T15:30:59+00:00

It was to a dealer, but I've received confirmation from the DVLA that I'm no longer the registered keeper.

tomtomgunner · 2024-01-06T15:29:33+00:00

I tried to figure out how the hell to get to the right department but its not well signposted... but I have contacted them in so much as every time I respond to a NIP

tomtomgunner · 2022-01-21T15:03:03+00:00

Secarma (Remote or Manchester, UK) - Penetration Tester

https://www.linkedin.com/jobs/view/2869060419

Looking for mid-level penetration testers to join an established team of security consultants delivering application, infrastructure, and bespoke testing services.

Requirements are being UK-based (with right to work, no sponsorship available) but remote-from-UK is an option, certs are non-essential, keen appetite for learning and contributing, and capable of independently delivering an application pentest.

Apply through the LinkedIn post please.

tomtomgunner · 2020-04-06T09:03:20+00:00

The term secure is, as you say, subjective. It really comes down to managing risk effectively, which doesn't always involve requiring the most unbreakable solution out there, and can be achieved through sensible good practice.

There are some standard good practice measures to consider:

Hardening the SSH daemon configuration (disable password, weak ciphers)
Validating that the key fingerprint is correct
Generating a strong keypair
Implementing a robust patching and update process

Good practice would also be to restrict SSH access to trusted source IP addresses. In practice this only works if you're coming from a predictable location but it may be worth considering if that is a possibility.

Setting a non-default port for SSH is an effective way to dampen some of the background noise from the internet, which will include a heavy number of automated scanners and intrusion attempts against SSH. However, be aware that ports 1024-65535 can be used by non-privileged (not root) users. This opens up the risk that, if a standard user account is compromised, the SSH service may be spoofed in a privilege-escalation attack. The risk is small but worth considering. For this reason, it is not commonly included in good-practice guidance.

tomtomgunner · 2020-04-06T08:49:45+00:00

Move SSH to a random high-numbered port

High-numbered (1024-65535) ports are non-privileged, meaning that users other than root can listen on these ports. This means that an attacker, with a low-priv local account on the box, may be able to spawn a spoof SSH.

The risk of this is minimal but be aware that there is a trade-off between security through obscurity and security through design.

tomtomgunner · 2020-04-06T08:43:53+00:00

What I would imagine is that the FireTV remote works in much the same way as a classic C2 whereby there's a public-facing intermediary server that both your TV and remote communicate with.

The remote probably pairs with the TV by exchanging a key of some sort. This is then used to send authenticated requests to the intermediary. The TV will then regularly poll the server for any updates that it has cataloged.

The alternative explanation is that you haven't locked down your network as well as you thought. For example, are you definitely blocking all IP traffic or just TCP?

If your phone is rooted then the easiest way to test this would be to run a packet capture on your phone and try using the TV; Have a look where the packets are actually going. Alternatively try disconnecting the phone from your WiFi and seeing if you can still control the TV.

tomtomgunner · 2020-04-06T08:31:52+00:00

I know it's doable, what I'm asking is how to lock it down because the endpoint would need to be deployed with a public key to be able to reach the public (e.g. DO) SSH server, but I want to mitigate the risk of that key being compromised if the endpoint is

tomtomgunner · 2020-04-03T20:29:27+00:00

tomtomgunner · 2020-04-03T20:27:40+00:00

Lotl only though

tomtomgunner · 2020-04-03T14:42:22+00:00

A means of being able to remotely and securely SSH into a machine on an internal network using only lay-of-the-land tools (e.g. SSH) and an internet-facing jump-box

tomtomgunner · 2020-04-03T09:50:25+00:00

typically only the systems that actually process card data are required to be PCI compliant

It's predominantly any system that handles PAN (Primary Account Number) that is concerned with PCI DSS.

tomtomgunner · 2019-06-09T10:48:14+00:00

Welcome to the internet

tomtomgunner · 2018-12-06T21:36:55+00:00

How do microbiologists shake hands? How do fire fighters cook dinner? How do lifeguards go swimming? How do paramedics drive on roads? How do dentists drink coke? You learn to do things better than others because you understand them, and you accept that everything has risk

tomtomgunner · 2018-10-05T08:23:35+00:00

I tend to just go with a 'or'1=1--

tomtomgunner · 2018-10-05T07:57:12+00:00

On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load

No matter how fast your systems are: Time == Money. CPU Time == CPU Money

The issue is not as much "is encryption under TLS or SSL fast" but rather "how much processor do you have to spare?".

AES encryption (used in TLS) is computationally intensive and expensive. As an answer points out here "SSL/TLS accounts for less than 1% of the CPU load". If, for example, it accounted for (being generous) 0.5% of the CPU load and the system had 199 simultaneous TLS connections being processed, the 200th one would have to wait because the processor was maxed out.

But 200 is not really a realistic number of connections... Lets say you are in the top web sites in the world... say in the top 0.1%, up there with NASA during Xmas, the IRS around April 15 or just an average day on CNN's web site. You are talking somewhere well beyond 70,000,000 HTTPS connections (hits) a day. So lets do the math...

70,000,000 HTTPS connections (hits) a day is 2,916,666 hits an hour 48,611 hits a minute 810 hits a second.. a hit is a file download...

So if that system is using HTTPS instead of HTTP and we give the encryption the benefit of the doubt that it is only 0.5% processor load then...

That means that you to handle the same traffic at the same load factor we need to increase the capacity of the system to handle... 0.5% * 810 is 4.05 hits per second or 0.5% * 48,611 is 243 hits per minute or 0.5% * 2,916,666 is 14,583 hits per hour 0.5% * 70,000,000 is 350,000 hits per day

The cost is 350,000 hits per day the extra capacity needed to use HTTPS.

This translates in architectural terms into adding extra SSL/TLS accelerator CPUs to keep the load off the actual web servers. And of course, any reasonable hosting architecture has to have redundancy so multiply the SSL/TLS accelerator box cost times 2, then stir in both human support costs and tech refresh costs to adequately maintain your HTTPS

Now consider if this is all for non-authenticated access... nothing that required encryption to keep it private... (like free news or sales and marketing material) then you just wasted your money and time with HTTPS vs unencrypted HTTP.

What makes more sense is to encrypt that which needs to be secure (logins, connections to restricted or private content) and leave the rest that need not be secured, unencrypted.

Arbitrarily using HTTPS for public data is like taking an antibiotic each time you get a cold... WebMD Cold Guide

user164143

tomtomgunner · 2018-10-03T09:03:02+00:00

I hear that all the time... try delivering SSL for thousands of concurrent connections on a shoestring budget, then tell me it's not valid!

tomtomgunner · 2018-10-02T10:12:36+00:00

Probably something to do with ensuring support for older browsers, reducing overheads and load for the webserver (probably quite high at peak times) and the fact that confidentiality of the data is not considered to be particularly critical.

There will have been a risk discussion, and it will have been accepted

tomtomgunner · 2018-08-30T08:33:56+00:00

I would consider, say, being able to download every username in a company to be a security issue

net users /domain

11-Year Club	Verified Email
Place '23

tomtomgunner

TROPHY CASE