• 0 Posts
  • 276 Comments
Joined 2 years ago
cake
Cake day: June 30th, 2023

help-circle
  • This isn’t mainstream media.
    This is capitalism.

    This is a company making a product, selling it for a given price, then making additional money from embedded ads.
    Whether that ad revenue is additional profit, or to offset the actual cost of the item - because the sold it at a loss to beat their competitors - doesn’t really matter.
    This is the consumer paying for something, and not getting a full and complete product


  • The researchers say that 41.5% of the attacks fail, 21% lead to account lockouts imposed by protection mechanisms, 17.7% are rejected due to access policy violations (geographic or device compliance), and 10% were protected by MFA.

    This leaves 9.7% of cases where the threat actors successfully authenticate to the target account, a notably high success rate.

    This actually has nothing to do with the fastHTTP library, other than it happens to be the library they use.

    Sounds like a classic brute force attempt, which happened to have a 9.7% success rate.
    Whether this is bad config on behalf of the user, or bad config on behalf of Azure isn’t really clear.
    Regardless, the fault is with Azure for not mitigating this and providing a secure-by-default service.
    I can’t believe 10% of users deliberately weakened their security settings.

    The article does mention MFA fatigue. I guess where so many “type in the code”/“is this you” type prompts resulted in the user just accepting (or worse, accepting by force of habit) to get rid of them.
    Unexpected MFA and security alerts should be investigated immediately.











  • The cheap Chinese stuff often uses knock-off ICs tho.
    They can be fairly difficult to detect, and will work for a short time or under very light loads. But they will be nowhere near the spec of the data sheets.
    They might massively overheat, not provide the correct currents or voltages, run at lower speeds. All sorts of corners being cut to turn a $2 IC into a 50¢ IC. Or a 50¢ ic into a 5¢ one

    So yeh, might be the same PCB layout inside, it might visually look the same (or very very close) but the parts are likely to be counterfeit.

    Of course, it’s also probable that name brands might be hit with counterfeit parts inside as well. Hopefully their QA picks that up






  • You can do reverse proxy on the VPS and use SNI routing (because the requested domain is in clear text over HTTPS), then use Proxy Protocol to attach the real source IP to the TCP packets.
    This way, you don’t have to terminate HTTPS on the VPS, and you can load balance between a couple wireguard peers so you have redundancy (or direct them to different reverse proxies or whatever).
    On your home servers, you will need an additional frontend(s) that accepts Proxy Protocol from the VPS (as Proxy Protocol packets aren’t standard HTTP/S packets, so standard HTTPS reverse proxies will drop them as unknown/broken/etc).
    This way, your home reverse proxy knows the original IP and can attach it to the decrypted http requests as x-forward-for. Or you can do ACLs based on original client IP. Or whatever.

    I haven’t found a way to get a firewall that pays attention to Proxy Protocol TCP headers, but I haven’t found that to really be an issue. I don’t really have a use case