Speaking at BSidesSF 2019
I’m grateful that BSidesSF gave me an opportunity to speak and share with the community. It was a lot of fun the second time around.
Security Focused Tinkerer
I’m grateful that BSidesSF gave me an opportunity to speak and share with the community. It was a lot of fun the second time around.
I appreciated the opportunity to speak at AllDayDevOps this year. Thanks to AllDayDevOps for releasing recordings of all of the talks. Here’s mine!
AWS Elasticsearch Service is a quick and easy way to spin up Elasticsearch clusters. Unfortunately, the default authentication for the Kibana visualization plugin is, well, none. If you can access the Kibana dashboard, you’re in! I wanted to make sure that the data in some of our internal AWS Elasticsearch clusters was protected. With everything else consolidating around a SAML SSO identity provider, I was hoping that it would be relatively simple to tie the two things together.
I’m grateful that BSidesSF gave me an opportunity to speak and share with the community. It was a lot of fun, particularly getting to see an artist do a live sketch of my talk. After immersing myself in a preparation, it’s interesting to see what the main points that a listener is pulling out in real time.
So after slamming in the UniFi WiFi system, I had rock solid internet almost everywhere in my house, except the desk where I actually work from home. That one corner - the one place where I actually do work people sometimes pay me for - had WiFi speeds 90% slower than everywhere else. And as The Oatmeal points out, the only thing worst than no internet is slow internet. This obviously could not stand.
Here’s two methods to protect SSH with multi-factor setup. Quick disclaimer, the scripts below are built generically and require you to do a bit of additional work of inserting your own secrets. If you just run these scripts without inserting your own keys or API tokens, you won’t be able to pass the second factor challenge and you can permanently lock yourself our of your own system. The scripts will take you 90% of the way, but be sure to do the follow on steps.
This is a follow-up from part 1, and assumes that you have a fully functional copy of whatever Wordpress site that you’re looking to migrate at some-app-name.azurewebsites.net
So let’s start with the easy and fun stuff first: the for free part! Microsoft has a fantastic donation program setup for most non-profits to get $5000 per year in free Azure computing. It’s pretty fantastic. If you have 501(c)3 status (or the equivalent in your country) pop over to the Azure donation website, double check that you meet the eligibility requirements (no political orgs, no government orgs, stuff like that) and start the application process. It costs you nothing to apply and even if you aren’t planning to use it to host your website like I outline here, $5000 in free compute is hardly a liability. Spin up a massive GPU instance and mine bitcoin at the least!
So F5’s documentation is pretty amazing and the automatic updates to the ASM signature set has taken care of 95% of the security issues that I’ve encountered so far. The last time that Apache Struts had a public exploit (the same vulnerability at the root of the Equifax breach) it was great to log on and see that it was just blocked by the existing ruleset.
It was death by papercuts, but my old AirPlay Express router finally bit the dust. With the addition of Pi-Hole, it was fine. Not great, but with 30 minutes of fiddling with it every week and setting it on a timer to reboot regularly it was marginally acceptable. With so much of my life and work being tied pretty directly to the internet, I ended up making the same calculations that Troy Hunt did that paying for quality networking gear will pay off in the long run, and bit the bullet to buy a full Unifi setup.
As the old New Yorker cartoon goes, “On the internet, nobody knows you’re a dog.” If you tell a computer that you are Big Bird from Sesame Street, it will believe you unless someone had instructed it beforehand how it can verify claims of Big Bird-ness; like checking if they’re 8 feet 2 inches tall, yellow and covered in feathers.
Pi-hole is great! The Airport Express it’s been saving, not so much. Things have been going swimmingly right up until we had our first overnight guest. I, like most modern hosts, recognize that wi-fi has dropped itself into the base of the modern Maslow’s hierarchy of needs and in being hospitable to our guests generally want to provide that. Airport Express has a great checkboxy “create a guest network” feature, save that you can’t specify different DNS servers for the guest network.
When spinning up my home network I went the route of overpaying for an Apple Airport Express. I spend a lot of time fighting with technology at work, I’m happy to overpay for the hardware in order to get the legendary Apple “It just works.” peace of mind back at home. Which was great! Until it wasn’t.
Hello world! I’m Benjamin and I figure things out. For the longest time, I had my own ‘site’ at a vanity URL; nothing all that much to look at, but enough to not be completely embarrassed when people tried to see if there was something behind the email address I put on resumes. At the time I used the tools that I knew and slapped something together in a few afternoons using Joomla and a cheap webhost and completely forgot about it.