Elvith Ma'for

<a href="#anchor">⚓</a>

Can the Nederlands invoke article 5 of NATO of they get invaded, then? ^/s

Was this by any chance a response you got on the second, third,… prompt?

Big beautiful drop!

I’ll check in with Redundancy Department of Redundancy Department then

Wut?

And don’t listen to the promises of big companies with billion-funds, they cook with water like the rest of us.

Oh, yeah, I remember when one of our super important core systems was migrated to SaaS. My system was interfacing with it, so I got notified about the migration to make a plan. I basically told them: “We’re using $API to connect to your system. Tell me the new hostnames and IP ranges and ports and I will configure the firewall on our end. Also, our connector for your migrated system will be deployed in $IP-range so please allow these inbound connections in your firewall.”

Half a year later I got a message: “Yeah, we just found out, that $SaaS-provider never configured the firewall after our tickets and everything is reachable from the public internet. We’re forcing them to lock down the system now. Can you please tell us again from where you connect to us?”

If you put any data anywhere, assume it will be contained in a breach in the future. Blue teaming is hard. You have to be perfect every time. Red teaming is easy. You just have to wait till the blue team makes a simple mistake…

Mails sent to a company? Their or your mail account will be breached one day.

Account details on a webpage? Their user database will be leaked.

Your cloud drive, ect.

Even your data on your NAS at home or on your PC could get accessed in one way or another, you’re just a zero day and an unfortunate click away from disaster.

On the upside, as long as you do not have a target on your back, patch your stuff in a timely manner and keep some hygiene in configs, secops … You should be fine, as most automated attacks aren’t that high level and target the low hanging fruits. But that doesn’t make you completely safe.

In the German Ubuntu Wiki there’s a list of many streaming URLs of (local) radio stations ordered by country: https://wiki.ubuntuusers.de/Internetradio/Stationen/

Then they also have this list of online only radio stations, but those are heavily skewed towards German stations: https://wiki.ubuntuusers.de/Internetradio/Internetradio-Stationen/

Just plug those URLs into VLC or any other app of your choice (heck, even the browser should work) and you’re good to go.

That reminds me of copilot in the azure portal.

On every page, theres a header section with some recommended actions you can do there and with a click on it, you can task copilot to do them for you.

Today, everything I got was to the extend of “decommission this Kubernetes cluster” and other destructive things you do not want to accidentally click on.

German has both genders for dogs, but since the variants look (and sound) slightly different, it’s not instantly obvious:

Der Hund - a male dog
Die Hündin - a female dog

I thought the easy way were “A Pussy So Tight No Dick Penetrates”?

Can I interest you in the blog Buried Treasure? The author reviews small and unknown indie games an there are a lot of pearls to be found

Let’s just say „every unmarked block, but one“?

If we count diverse electronic trinkets (ESPs, Raspberry Pis, breadboards, LEDs,….) as crafting supplies, then yes that’d work perfectly

Bold of you to assume I thought of having something to take notes on handy when I need to take notes…

No, that’s just another hypothetical app that you’re using a reverse proxy for. I just included it to show how you can also set settings for a single subdomain/reverse proxy entry that isn’t used globally on all domains that get served. I used a hypothetical REST API that needs a CORS Header that other apps don’t need (or maybe serve themselves).

admin off disables Caddy’s admin interface (which shouldn’t be public and if you’re using config files this usually isn’t needed. So just a bit of gardening)

servers sets some general server options.

and then I just inserted several blocks that each define a reverse proxy to a different app / backend to show that you can just dump them all in a single Caddyfile. And the last example to show that you can set specific settings only for a specific subdomain instead of globally. As I set headers mostly used by REST APIs, I just called that api.example.com instead of app3.example.com.

If you like, I can send you an example of the Caddyfiles, that I’m using (I used the import directive to split every service into its own Caddyfiles, you could just copy and paste everything in the same file). It will take a few hours until I get home, though.

But basically you can just put every subdomain and it’s target in a separate block and the add some things globally (e.g. passing the original IP, switching off the admin API of Caddy,…)

Something like this should work:

admin off 

servers {
		client_ip_headers X-Forwarded-For X-Real-IP
}

app.example.com {
    reverse_proxy 127.0.0.1:8080
}

app2.example.com {
    reverse_proxy 127.0.0.1:8081
}

api.example.com {
    reverse_proxy 127.0.0.1:8082
    header {
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Origin "*"
    }
}

Go ahead and give them your Social Security number, and see what happens.

“Socially I’m rated 3/10, but for security I’m an 8/10. Now that I’m replying to this, I think my security score just dropped a bit, though.”

Yeah, that’s exactly why I didn’t use my own CA. There’s a plethora of devices that you now need to import the CA to and then you need to hope, that every application uses the system cert store and doesn’t roll its own (IIRC e.g. Firefox uses its own cert store and doesn’t use the system cert store. Same for every java based application,…)

It’s fiddly with Caddy, as you need a specific plugin to get it to work with anything else than the default challenge. That means using a custom build via caddy - and with docker, you’re SOL. BUT you can just use certbot and point caddy to the cert file in your file system.