Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

IHawkMike

@IHawkMike@lemmy.world

This profile is from a federated server and may be incomplete. Browse more on the original instance.

IHawkMike ,

So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)

I'll trust Cloudflare over Comcast/AT&T/etc. any day of the week.

IHawkMike ,

I know plenty account SNI already, but thanks. You might want to study more yourself, since we're being condescending.

https://blog.cloudflare.com/encrypted-sni/

IHawkMike ,

Yeah, but that security patch level.

Networking Gear Recommendations? (starting from scratch)

Hi, I hope its appropriate to ask this here, considering this is the most active community closest to this topic (Networking). I am moving places shortly and will need to start from scratch will all networking equipment. Including router and wifi-extenders. Am wondering what the general consencus is around networking gear, what...

IHawkMike ,

I would never use their firewalls/gateways, but their switches are pretty good for the price and their APs are decent (although tbh after 3 generations my next AP will likely be an enterprise Aruba).

That said, I still use Unifi in docker, everything is up to date, and nothing is requiring a sign-in to the cloud. Am I missing something? If it's just the firewalls, then I'm not surprised since I've never been remotely tempted to use them, but it sure isn't all of their devices.

IHawkMike ,

My firewall is a Fortigate 60F.

IHawkMike ,

I believe you. I'm just saying their non-firewalls (i.e., switches and APs) don't have that limitation.

IHawkMike ,

And what's wrong with asking that? Plenty of email platforms let you change your primary SMTP address and/or add/remove aliases.

It's a legitimate question. And it could be that the lack of ability to change it has a perfectly logical answer. It still wouldn't invalidate the question.

IHawkMike ,

They mean CAA records:

https://developers.cloudflare.com/ssl/edge-certificates/caa-records/

IHawkMike ,

In Chromium browsers you can simply type "thisisunsafe" to bypass even HSTS failures.

IHawkMike ,

You need to demand a raise. And keep working from home.

IHawkMike ,

I'm sorry, there isn't an option to arrange icons by "penis."

IHawkMike ,

You said Traefik is getting certs from Cloudflare, but do you mean it's getting Let's Encrypt certs using a CF DNS challenge? And if that is the case, then your browser should trust the Traefik endpoint since LE certs are publicly trusted.

Are you sure you're hitting Traefik when you get a cert warning? You need to update your internal DNS if not.

IHawkMike ,

If you, Traefik, and your origin server are on the same network, then it's going to be one hop regardless of whether you're hitting the Traefik proxy or the origin server. If Traefik is serving up the origin server's cert and not the LE cert, then Traefik is misconfigured to pass through instead of proxy, but I'm still not sure that's the case as it's almost harder to configure it that way than the correct way as a proxy.

What IP:port is your origin server listening on, what IP:port is Traefik listening on, and how is Traefik configured to reach the origin server?

IHawkMike ,

In that case, if CF is taking to Traefik and not the actual origin server, you just need to forget about the origin certs altogether and use LE certs in Traefik.

IHawkMike ,

Right, because international hackers are going to mobilize boots on the ground across the world to steal your fucking Optiplex.

IHawkMike ,

Exactly. Everybody on Lemmy a couple days ago was acting like the sky was falling when all we had were these one-paragraph FUD articles quoting Microsoft's own KB article. Most people commenting have no clue that "VPN" is a broad term covering at least a dozen different possible protocols and acted like Microsoft was intentionally breaking all VPNs.

The only thing I found was a reddit thread talking about how some VPNs using TPM-backed certs were broken. I, for one, am using an IPsec VPN with certs stored in TPM on one of the affected versions of Windows 11 and have had no problems. Nor have I had any issues with SSL or Wireguard-based VPNs, so it does just seem to be a fringe case they're warning about.

So Microsoft is just giving a heads-up that IT should probably include VPN testing in their patch cycle test rings and all the anti-MS people are losing their shit.

IHawkMike ,

The reality is they probably don't know the full scope or root cause and are going off of limited reporting coming from their beta channels.

But they likely determined the impact was low enough that they could still ship the update while they investigate further.

There are similar known issues reported in the update KBs all the time that sound much worse to me as an admin but are as equally low impact in the end. But they're not as easy for the layperson to latch onto like these low-effort "VPN no worky" articles.

Regardless, none of this absolves IT of the responsibility of testing patches.

IHawkMike ,

Yep totally. The documentation is downright wrong so much more today than it used to be. It's all written like they pawned it off on a junior engineer, who then threw shit at the wall until they got it working, then that process becomes the official documentation.

And don't get me started on Copilot hallucinating Powershell cmdlets.

With support it's become kind of a game to see how quick you can get to T2. My tactic is to passive aggressively point out how their first response shows a complete lack of understanding of the topic, then directly request escalation.

IHawkMike ,

The rootkit is easy enough to turn off in the BIOS but I highly, highly recommend G-Helper instead of Armoury Crate.

Moving to it from AC is like leaving a prison cell full of screaming children and entering a calm beach.

IHawkMike ,

ASAs are still way more prevalent than they should be when Palo Alto and others are much better options. Still, I'm glad I barely have to deal with them any more.

IHawkMike ,

Oh yeah. They all do/will. But they are still better firewalls than ASAs.

How do I setup my own FOSS shopping website for my business?

Hello, I don't have much experience in self-hosting, I'm buying a ProtonVPN subscription and would like to port forward. I have like no experience in self-hosting but a good amount in Linux. I'm planning on using Proxmox VE with a YunoHost VM. I already have a domain name from Njalla. I'm setting up a website for my computer...

IHawkMike ,

Third. The first thing I mention when one of my clients asks anything about PCI is to offload as much card processing onto third parties as possible.

And if you have nothing in place yet, then 100% offloaded should be possible (with the possible exception of secure payment terminals if you need to process physical cards).

That said, it is still possible to use your own hosted WordPress storefront and offload the payment processing via tokenization or redirection. But a turnkey solution like Shopify might be better if you lack the experience.

IHawkMike ,

Civilization VI will probably last me at least until the next civilization.

[Thread, post or comment was deleted by the author]

    •
    IHawkMike ,

    No, and it never has been. I use Firefox as my default and it has never changed.

    IHawkMike ,

    Why name drop Veeam as if they're part of the problem?

    They at least have good options to protect backups from ransomware with Linux hardened repos and immutable object storage.

    IHawkMike ,

    I still fail to see how that's the product's fault.

    Is there some ransomware-proof backup solution that you find most people do set up correctly?

    IHawkMike ,

    Three digits is not that easy to get by brute force. It'll be locked for fraud pretty quickly.

    However the CVV is usually only required for card-not-present purchases. One way around that is to imprint the number onto their own magstripe card and run it as a card-present transaction.

    IHawkMike ,

    Exactly. I decided to check it out a couple weeks ago and needing to install the Amazon app store was an instant nope.

    Was going to look into side-loading but I didn't really have a use case to make it worth my time.

    IHawkMike ,

    To be fair, for the average consumer there are huge advantages to using a MSA.

    Both Windows Hello and OneDrive bring both security and convenience to non-technical people in a big way.

    There is no good reason the average non-techie user should be using a local Windows account in a cloud world.

    IHawkMike ,

    So you classify yourself as an average consumer or a non-techie when it comes to computers?

    IHawkMike ,

    Adding my vote for Zabbix. It was a bit of a bear to set up and I had to write custom scripts to install the agents with TLS settings that were secure enough for me, but once it's all set up it's amazingly easy and intuitive to use and incredibly customizable.

    IHawkMike ,

    Just mark it as final then. This whole thread is infuriating. People working themselves into pretzels with their misguided reasons for not wanting auto-save when they really just don't know to use the software.

    OP is right. I use Office 365 and haven't lost work on a document in over 10 years. Auto-save absolutely should be the default.

    Passkeys might really kill passwords (www.theverge.com)

    Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use...

    IHawkMike ,

    Yep! In fact you can still use client certificates in certain passkey/WebAuthN authentication flows. It's more or less how Windows Hello for Business works (although X.509 certificates are only one type of key it supports).

    IHawkMike ,

    Yeah, I personally will only use hardware solutions for passkeys -- YubiKeys and TPM-backed WHFB creds.

    But the other reply makes a very good point about adoption being more important than perfection since, even with software-backed passkeys, you still have the benefit of the secret never leaving the client.

    IHawkMike ,

    My 3930k is still alive and kicking. Just need it to hold out until Gen 15.

    It also runs Windows 11 just fine.

    IHawkMike ,

    Yes it does make sense. Because the insurance companies operate completely on hypotheticals. And that has a very real cost to the business being insured.

    IHawkMike ,

    I'm always reminded of this video when I think about just how bad AR could be. But then again, it could be pretty cool if we can only keep control over our tech.

    https://youtu.be/YJg02ivYzSs

    Microsoft CEO calls for tech industry to 'act' after AI photos of Taylor Swift circulate X (www.themirror.com)

    Microsoft CEO calls for tech industry to 'act' after AI photos of Taylor Swift circulate X::Satya Nadella spoke to Lester Holt about artificial intelligence and its ability to create deepfake images of others. After pictures of Taylor Swift circulated, he called for actions

    IHawkMike ,

    There are no perfect solutions so we might as well do nothing.

    IHawkMike ,

    It's a shit company for pulling this, for sure. But I kinda like the building.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •