Replied in thread
Recent searches
Search options
#pebcak
1 post1 participant0 posts today
Replied in thread
⁂ 
Replied in thread
No progress today
Day-job has mostly been clearing up after User Errors*, and waiting around between appointments.
*including typo-ing their own email address, and then panicking that their whole email system had failed
Continued thread
I finally figured out my problem with the mechanical keyboard - I am a lousy typist :)
#PEBCAK
Replied in thread
@Depemig : my proposal is that your browser "remembers", among other things, the certificate of each website you've visited (while using a specific browser, optionally synchronized with browsers on your other devices).
"Remember" as in using a database (a bit resembling an HSTS database) with records that consist of (back-of-the-envelope quality, just figured this out):
Exact domain name (key);
UserChoice: temp. untrusted or trusted, permanently untrusted or trusted, always trusted if your device is connected to a trusted networks (in a list specified by the user), low/medium/high trust, [...];
Timestamp of last visit;
CertTrust: the trustworthyness of the certificate referenced below;
Mode (*): the cryptographic hash below is calculated from a certificate or from the public key in a certificate;
Hash (cryptographic) of the last certificate "seen" by the browser, it's public key (*) or null if using http.
(*) My AVM Fritz!Box router generates a new (self-signed) certificate each time it's software is updated. However, the asymmetric keypair remains the same, so I'd like to "pin" that public key. Obtaining public certificates for IoT equipment (typically on private networks, as in [1]) is hard - if not impossible. So it would be a good thing if browsers allow http connections, or https with self-signed certs, on specified trusted networks. That is, without asking every time - or never again (like Chrome seems to do). Which becomes a bigger risk if your device happens to be connected to an untrusted network, such as public WiFi.
If privacy is of a concern, the browser could generate a "pepper" (a random value that is kept as secret as possible by the browser). Instead of storing the domain name and hash, the browser now stores the result of a HMAC function with the pepper as one of the inputs, and either domain name or hash as the other input. In that case, even if attackers obtain access to the database (provided that they don't also obtain access to the "pepper") will not easily be able to determine which websites the user visited and when.
When visiting a website with a specific domain name, the browser searches the database for the domain name (or calculates the HMAC of the pepper and the domain name and looks up the resulting value).
If no matching record is found, the user is warned that they've never visited that website before (and that they therefore should not log in, buy stuff, or trust the website in any other way, without further research).
Either no content (except the certificate - usually a certificate chain) is downloaded from the website, or the browser acts as normal (to not make the owner and hoster any wiser) but does not *show* any (potentially misleading) website content to the user of the browser - until the user decides to trust the website.
Instead the user gets to see as much metadata about the website, plus authenticity indicators, as possible (as I described in [2]) - before they decide to, more or less, trust the website.
Gilles Dutilh aka DePemig ended with:
« By the way, I could imagine some plugin that reads a website's main content and then checks whether the url you're visiting looks like a legitimate url domain for that site. Ever read about something like that? »
No (I've not looked for such a plugin though). However, IMO this should be standard functionality in every web browser.
The reason is the lack of knowledge of something comparable to *physical location* (In Real Life) as part of authentication of "servers" like shops or a branches (offices) of a bank. The reason why chances are near zero for encountering fake shops or bank offices in the center of a city, is that it's hard to get permits, investments are huge and chances of being caught are very high. Not so on the internet.
For example, Samy Kamkar's website, https:⧸⧸samy.pl, is not located in Poland and AFAIK he is not Polish, and he probably does not write viruses anymore (I much enjoyed it when he told an audience I was in "How I Met Your Girlfriend". In another setting: [3]).
Currently internet users often don't even know which country the person(s) responsible for a website live(s) in, which decreases the trustworthiness of *all* websites because users cannot reliably distinguish between them.
Therefore users simply *need* to know, with a specified relability, *who* is responsible for a website - *before* they can (more or less reliably) determine how much of their trust a website with a specific domain name *PLUS* additional useful identifying information, deserves.
[3] https://www.youtube.com/watch?v=fWk_rMQiDGc
[2] https://infosec.exchange/@ErikvanStraten/113079966331873386
[1] https://www.rfc-editor.org/rfc/rfc1918
@fifonetworks : it's a taboo. Nobody really wants to accept that infosec is extremely hard, and most are in denial that they're at bigger risks than they think they are.
We (security people) often come up with a bunch of measures without explaining why they are a good idea, what side effects they have and which risks are not covered at all.
Here's one example: "use 2FA".
WEAK MFA
• Why use 2FA/MFA in the first place? Because most people use (and reuse) extremely weak passwords. 2FA does not _SOLVE_ *that* problem.
• SMS and voice are a bad idea anyway because of the risks of telephone "line" interception, call redirects or "SIM-swaps" (i.e. a miscreant hijacks your phone number).
• Many TOTP apps suck or sucked (see https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan by Conor Gilsenan
@conorgil et al. in https://infosec.exchange/@conorgil/109542074585730853). A *lot* of people lost access to their accounts because Google Authenticator would not make backups of the underlying secrets, which people found out about after their phone died or was stolen. Authy in particular is bad (in Dutch: https://tweakers.net/nieuws/207532/#r_18549330).
Effectively TOTP apps make people use a second password (unique for each website-account) that, supposedly, they do not have to remember, nor are they made aware that therefore (secure!) backups are a necessity. If those secrets are simply stored in their cloud-accounts, without encryption using an *independent* password, then they offer an extremy overestimated level of protection (it's mostly security by obscurity in such a case).
• None of the regular 2FA/MFA solutions protect against "evil proxies" (like those based on EvilGinx2) often provided by PhaaS (Phishing as a service) providers, used by a rapidly increasing number of attackers - as acknowledged by Microsoft in 2019 (link + details in https://infosec.exchange/@ErikvanStraten/112974991373414022 - whose marketeers, IMO misleading, still love to tell anyone that they should use Microsoft Authenticator).
STRONG MFA
Strong MFA (such as provided by passkeys and hardware keys) eliminates the *human* vulnerability of not knowing whether a given domain name belongs to the apparent (easily impersonated) owner of a website.
However, an increasing number of mis-issued certificates (this week, for potentially all of the .mobi TLD: https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/; some earlier attacks: https://infosec.exchange/@ErikvanStraten/112914050216821746) means that passkeys and hardware keys are *not* as phishing-resistant as marketeers like us to believe.
That apart from the fact that passkeys and hardware keys are *not at all* without other issues.
PHISHING
There are roughly two types of phishing:
1) Where the user shares information with a website of an owner they believe to have interacted with before, or
2) Where they share personal info with, and/or pay money to, a website of an owner who is "new" to them (like a webshop that they've never done business with before).
Of course, 2FA/MFA do not help at all in case 2 (example in https://infosec.exchange/@ErikvanStraten/112988945087291542).
IMO it is impossible to teach most people to reliably distinguish between fake and real on the internet (this is not only *my* opinion: https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html).
The common "instructions" to distinguish between fake an real websites are totaly unreliable, like "check for typos" or use a site like scamadvisor. There are way too many false positives *and* false negatives, while cybercriminals have an easy job to evade all such criteria. It should not be a requirement to be a forensics expert to safely use the internet.
INTERNET IS TOO INSECURE
We need to fix the internet first before we bother people with (currently unreliable) measures (typically without pointing out remaining or new risks).
FIX
Big tech have turned certificates into something comparable to passports that only show a totally meaningless SSN (Social Security Number). Which is why cybercrime is booming on the internet (for example, look at the approx. 1500 domain names listed below "Website data" in https://www.scamadviser.com/check-website/href.li).
Fix: see https://infosec.exchange/@ErikvanStraten/113079966331873386.
EXAMPLE
See the images below. When tapping "Scan", Chrome on my Android phone goes full screen and scans C:\Users\ (among others). Eventually it advised me to download "t4gf8h.zip" (https://www.virustotal.com/gui/file/0858ecedb7bfa0c148cd2ed282cd0dc7e11beee5c00fccebc4eb9f98094a7a67/summary).
FAKE VS REAL (AUTHENTIC)
Even strong MFA/2FA does not help. How are (non-nerd) Windows users supposed to know that this is *NOT* a McAfee website and *NOT* a McAfee virus scanner, with currently (according to VT, which may not be 100% correct, but -in my experience- provides a good indication) is detected by only 7/67 scanners?
Replied in thread
@gmc@hsnl.social @Tusky That's because you had your old account selected, silly. Not a #TuskyBug at all.
So i found a new feature....
When you within a folder - like your download folder - search for a file and then rename it - you rename a lot of files.
Wanna know how i know?
Replied in thread
freezr When you walk the path of the #pebcak you are essentially alone. 
Your dramas belong exclusively to you, and if you can't find your own solution you're just screwed (by yourself)… 
Der Moment in dem du dich aufregst dass dein Bash-Einzeiler, der regelmäßig unsinnige Dateien wegräumen soll, SCHON WIEDER nicht gelaufen ist…
…nur um festzustellen dass die Zeile davon ausgeht dass Monate im String immer mit 0 beginnen und das Ding also Dateien von Oktober/November/Dezember ignoriert.
Hello there, for the ones who love sneak peaking, lurking and being totally into the chisme, I've just uploaded but not yet officially published my latest effort, a series of gemlogs called: Make a StealthBox with Devuan and Libre Computer Renegade
gemini://omg.pebcak.club/~freezr/gemlog/stealthbox-with-devuan-and-libre-computer-renegade.gmi
I need to complete some sections but it is 99% ready!
Welcome in the new era of the modernology!
The #Modernology, in analogy with the #Archeology, is the discipline of finding the fragments of truth or correctness in the endless sea of misinformation that the modern Internet offers.
When we are looking info or solution on the #internet
we are all #modernologists!
To find the right answers to my (#pebcak) problems I must, anytime, read and test countless of useless quasi-carbon-copy blogs, articles and other info, all of them stating to be correct, but unfortunately those only have a small fragment to compose the jigsaw puzzle that will solve my issue.
If you feel the same way it means you are a true modernologist!
I haven't found a compelling methodology yet, what I know is that you have to test your solution several time till you find the recipe that requires the least steps.
Be a proud modernologist against the internet #enshittification 
An inordinate amount of my time on the job these last few weeks has been related to typos made by others. #frustrating #HaveYouTriedRebootingTheComputer #picnic #pebcak
#PleaseDoubleCheckYourWork
Why the heck aren't these ESP8266 boards flashing on this computer? They must be broken! They must be fakes!
[checks kernel config]
Oh silly me compiling a kernel without USB serial converter support, heh, who thought they'd ever need a serial port in 2023 amiright? lol
My long awaited and overdue #pebcak #guide to make your personal #Gemini #Capsule that you can own by yourself, has been issued! 
This is for all the people that like writing and sharing experience online, in a secure and safely manner, that promotes privacy and ownership of your data. 
This is not meant to build your IT career, please don't that if you really want pursue that path!
Gemini is the best way to manage and handle an online blog, but why? 
Because, it is:
- easy by any means
- doesn't require any skill but the willing to learn
- setup a VPS is way more easier even than a static website
- it can be read anywhere without issues, from a terminal to a mobile phone
- reading a capsule with #Lagrange is a joy for your eyes whether is the desktop or the mobile version
- page can be read even with the worst connection
- to read or prepare even old hardware is suffice, some amazing people made a client for the Amiga Computers
Some very bad person will tell you can't personalize your Capsule as web does. Don't listen to them, as a pro designer I can tell you there is anything more far from the truth, and that such ridiculous statement is a brutal falsity. 
Any Capsule is different and reflect each writer personality, some capsule are amazing they way how are organized. It is incredible how very strict constraints don't stop the human being to be creative! 
I am not saying that all the capsules are cool, but surely I saw a lot of amazing capsules. If you won't accept this, I would tell you that 99% of the web blogs are a huge pile of crap instead, and even if you have the tools but you lack in skills you had better move on Gemini instead. 
Please, if you don't know what I am talking about, do a favor to yourself and download Lagrange:
https://gmi.skyjake.fi/lagrange/
You can learn more here:
And last but not least my guide!!! 
Main topics:
#FreeBSD the amazing unix-like operative system!
#BastilleBSD a great tool to handle FreeBSD jails!
#GMID the awesome software that serves my capsule!
gmi.skyjake.fiLagrange
Replied in thread
@jferg @simplenomad @pluralistic 
Had to look up #PEBCAK again.
It was worth it.
Replied in thread
@killyourfm @protonmail #pebcak strikes again... :blobfoxwinkmlem: