• 4 Posts
  • 96 Comments
Joined 2 years ago
cake
Cake day: June 11th, 2023

help-circle
  • I bet that 1234 is used more often because of the 4-character minimum, like PIN codes on debit cards. It’s 4 characters so it’s safe. 123, on the other hand, is not safe, because it is 3 characters. /s

    My solar inverter admin interface has a certain 4-digit password. So I wanted to change it to secure it, and found out that it only allows 4-digit passwords. Luckily the access point can be set up with a higher entropy password though (it is constantly advertised and had a very “secure” 8-digit password by default, I think you can guess which one)



  • The way I understand it, there’s 2 use cases for a VPN, with different concerns and providers:

    • having access to your private home network from anywhere, through an encrypted tunnel (Tailscale, Wireguard on the router, etc)
    • having your outgoing traffic to the internet go through an anonymized exit node so that your ISP can not watch or sell what you are doing (ProtonVPN, Mullvad VPN, etc)

    Is Tailscale fit for the second? I thought not, as the exit node is not an anonymized VPN server but one of your own machines.








  • You keep using the word “maintenance”. All I’m worried about is not installing any security patches for months.

    The problem that I tried to highlight with my “cherry picking” is:

    • Running a machine with open vulnerabilities for which patches exist also “paints a target on your back”: even if your data is worthless, you are essentially offering free cloud compute.
    • But mostly, a single compromised machine can be an entrypoint towards your entire home network.

    So unless you have separated this Orange Pi into its own VLAN or done some other advanced router magic, the Orange Pi can reach, and thus more easily attack all your other devices on the network.

    Unless you treat your entire home network as untrusted and have everything shut off on the computers where you do keep private data, the Orange Pi will still be a security risk to your entire home network, regardless of what can be found on the little machine itself.


  • No it is

    https://www.pandasecurity.com/en/mediacenter/consequences-not-applying-patches/

    And:

    You’re allowing for more attack vectors that would not be there if the system were to be patched. Depending on the severity of the vulnerability, this can result in something like crashes or something as bad as remote code execution, which means attackers can essentially do whatever they want with the pwned machine, such as dropping malware and such. If you wanna try this in action, just spin up a old EOL Windows machine and throw a bunch of metasploit payloads at it and see what you can get.

    While nothing sensitive may be going to or on the machine (which may seem to be the case but rarely is the case), this acts as an initial foothold in your environment and can be used as a jumpbox of sorts for the attacker to enumerate the rest of your network.

    And:

    Not having vulnerability fixes that are already public. Once a patch/update is released, it inherently exposes to a wider audience that a vulnerability exists (assuming we’re only talking about security updates). That then sets a target on all devices running that software that they are vulnerable until updated.

    There’s a reason after windows Patch Tuesday there is Exploit Wednesday.

    Yes, a computer with vulnerabilities can allow access to others on the network. That’s what it means to step through a network. If computer A is compromised, computer B doesn’t know that so it will still have the same permissions as pre-compromise. If computer A was allowed admin access to computer B, now there are 2 compromised computers.

    From https://www.reddit.com/r/cybersecurity/comments/18nt1o2/for_individuals_what_are_the_actual_security/