diy solar

diy solar

Spam Attacks

I've seen an uptick in forum sites blocking all signups from VPN. And in an extreme there is one that blocks all posts and signups from VPN.

I can see the first but the second is way overkill. And the way they are determining it is a VPN is by tracking DNS lookups from a common IP, thanks google for selling the stats if not the lookups. Which is just dumb because in my ISP they have dedicated DNS servers that forward to the google server if they can't resolve it locally. So, ta-da the whole CIDR block the ISP owns is considered a VPN.

The more realistic ones make VPN do a captcha and another test plus a hold the button for 60 seconds. Tends to cuts way down on the spammers. And in that case they also moderate the first 5 posts per user, the user isn't able to post more than the 5 until they have been moderated.
 
I was on yesterday an didn't notice any thing going on but I just checked messages, went to forums and clicked on new posts. That's my routine when I have a lot going on.
 
I despise Captcha, though I see it as a necessary evil. Frankly I'd like to have MFA everywhere with my U2F device. I have a Yubikey for work that is 2-way, and a 1-way Thetis for my personal stuff. The only problem is if you lose the key life is bad. OTP is not a bad solution either, though the token can be comprimised. My anger kicks back up when AFTER authenticating with my key/otp I THEN get a captcha, or I have to get past a captcha before I can MFA. People just don't understand this security stuff. Make sure your password has at least 1 special character? Why? Okay ....;' Oh sorry you can't use ";" or "'" only one of these 8 special characters... Check entropy not wierdity. Someone just broke in to one of my hosting services <sigh>.

Forcing MFA reduces the footprint/window dramatically.
 
ksmithaz1 said:
People just don't understand this security stuff.
Click to expand...
I sure don't understand it. Is there a reliable 'internet security for dummies' that you can point me to? Kinda like the DIYsolarforum for internet security? Or even better, a step-by-step resource like the top-balancing resource here? I no longer use 'password' for my passwords and I haven't connected my washer/dryer to the internet but that's about as sophisticated as I've gotten.

Thanks.
 
The very idea of connecting my washing machine to the internet just seems totally strange. Like, do we need our washers getting hacked and posting the status of the washing of our underwear to facebook?
 
jimf909 said:
I sure don't understand it. Is there a reliable 'internet security for dummies' that you can point me to? Kinda like the DIYsolarforum for internet security? Or even better, a step-by-step resource like the top-balancing resource here? I no longer use 'password' for my passwords and I haven't connected my washer/dryer to the internet but that's about as sophisticated as I've gotten.

Thanks.
Click to expand...
Naomi Brockwell on the Tubes (https://www.youtube.com/@NaomiBrockwellTV) does a pretty good job of translating security concepts from full on geek speak to simple straight forward concepts. I sometimes have my staff watch her videos. You are already off to a good start by NOT connecting everything you touch to the internet.

My 5 biggest security considerations:
  1. TNO: Trust No One. Every email and phone call is suspect until proven otherwise. Any request for anything of value (money, information, etc) requires in person or multiple contact points of confirmation. Email me? I'm calling you from the number I have in my phone, the last paper bill I got, or from the official company website I visit regularly. Not in my phone? I don't know you well enough to loan you money.
  2. Multiple points of contact:
    1. Multiple phone numbers - I'll use work # for a lot of things as scammers don't like calling businesses.
    2. Multiple email addresses - one for banking, one for business, one for social media, one for personal contacts. I don't use gmail/yahoo/etc for anything I consider important or private.
  3. Multiple devices:
    1. An old pc for financial: banking, paying bills, etc. Doesn't have to be fancy to do this. Use it for banking, utilities, turbotax, and don't use it to surf.
    2. A PC for fun/shopping.
    3. Limit what you use the phone for. I don't stay logged in to anything, I don't use it for banking beyond getting a text.
  4. Multiple browsers: Brave and Firefox for things that I log into that are not Microsoft and google, (Edge and Chrome for Microsoft and google), and use private/incognito mode when I am trying to figure out if a site is safe or not.
  5. Don't use "services" that are "free" and you don't understand. Assume every app you install on your phone is a)tracking you, b)selling any and all data they gather about you, and(notice I didn't say "or") c)trying to up sell you.
I'm 20+ years in healthcare IT/IS/Security and that's my typical rundown for family, friends and coworkers. Your behavior is your biggest security threat.

(I now return to your forum spam thread - and I thought spam on my email server was a headache, yikes)
 
jimf909 said:
I sure don't understand it. Is there a reliable 'internet security for dummies' that you can point me to? Kinda like the DIYsolarforum for internet security? Or even better, a step-by-step resource like the top-balancing resource here? I no longer use 'password' for my passwords and I haven't connected my washer/dryer to the internet but that's about as sophisticated as I've gotten.

Thanks.
Click to expand...
I don't have a book, but at the core it boils down to paying attention, and not trusting. NEVER click on an unsolicited email link. The fact that some financial institutions still provide links in email is baffling to me. Solicited = I just clicked on my bank web site and I'm waiting for a code or something. Unsolicited = anything else. Always look at the actual URL's not what the link says, if it looks goofy just say no.

99% of all security incidents boil down to someone giving up their credentials from some sort of phishing exercise. Once you get past there, longer is always better ( Obligatory XKCD: https://xkcd.com/936/ ). NEVER save your passwords in your browser. I know it's convenient, it is also the first thing I turn off whenever I crank up a new desktop. For passwords what you want is ENTROPY not funky symbols. That is a deep topic only interesting to geeks like myself.

I recommend KeePassXC on the computer, it's annoying but has integrations for all the browsers. It creates a pipe between itself and your browser and makes it impossible for someone to scrape your browser folder in a drive-by -or- get your stuff by compromising your google account/phone/etc. Make sure all your accounts are protected with some form of Multi-Factor authentication. The MOST secure is a U2F key (Yubikey and it's brethren). This is a hardware device that uses one-way key cryptography, if you bank will support it many do not. Google Authenticator and it's cousins are fine for OTP (One time clock based against a token), and you can also store OTP tokens in a keepass file. Anything important MUST BE SECURED WITH MFA! I note that keepassXC's generator does an entropy test on the result.

I store my Keepass database(s Personal, Work, Work/Shared) on a shared mirrored resource. Note that the database format is standard there are many tools that can manipulate the database as long as you have the password. I use my private Nextcloud, but Dropbox,Box,Microsoft OneDrive, any of those are fine, that way you always have a static copy on any attached devices and I use KeePassDX on my Android. I use Keepass instead of authenticator to store my OTP tokens. A case could be made for seperating your OTP tokens, but if they have managed to crack my keepass database I'm pretty much toast anyway, so one vault for everything.
 
Lt.Dan said:
How would you rate that book on a scale of 1-12?
Click to expand...

For a complete beginner, it's pretty good. Now, keep in mind I've been in security (I'm a cryptographer, I've done pen testing, etc.) in a past life - so while I find the content obvious, it's likely not so for a beginner. That said, start with the Cheat Sheet I linked to before getting the book. If you understand the principles there, you may need something more advanced. If not, go for the book.
 
ksmithaz1 said:
if you bank will support it many do not
Click to expand...

Some banks in the States are so completely idiotic when it comes to this... I have an account with one bank there, still all you need is a password, and they still put artificial limitations on length, characters, etc. It makes me so angry sometimes. Here in Finland, OTP for banking is the standard, and has been for decades. Same in Belgium where you need your chip card, PIN, and OTP to log in to your account.
 
ksmithaz1 said:
Almost all the high-profile breaches you read about started with someone inadvertently giving up credentials to an account.
Click to expand...
Every one I am aware of was that way. Even our not so high profile cases locally were traced back to that. I make sure I talk to every staff member weekly and they know MY name and that I don't call myself by some title. That's hard in big corporations. Thankfully we are under 200
 
  • Like
Reactions: Bop
Nobodybusiness said:
I did physical PEN testing with social engineering.

You would be surprised how easy it is to get in place your not supposed to be.
Click to expand...

Same here. Wear a hard hat and a vest, walk in, and let them know someone a few floors higher reported an overflowing toilet. They let you right in...
 
You must log in or register to reply here.

Similar threads

Watts Happening
Terrible Signature Solar / EG4 18Kpv Experience - Returning and Replaced with Sol-Ark 15k
42 43 44
Replies
878
Views
52K
Dave911
D
Will Prowse
  • Locked
  • Sticky
Update: Corporate Corner/Group Buy Section is Now Removed. And New Rules for Vendors.
Replies
0
Views
14K
Will Prowse
Will Prowse
Will Prowse
  • Locked
  • Sticky
Official Forum "Code of Conduct" and "Terms of Service"
Replies
0
Views
5K
Will Prowse
Will Prowse
Steve_S
Chargery BMS, DCC (Solid State Contactor) thread.
25 26 27
Replies
528
Views
33K
Johannlog
Johannlog
V
24v GROUNDING HELP and overall critique
2 3 4
Replies
73
Views
7K
Martijn
M
Back
Top