cybersecurity

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

This is what my fetchmail log looks like today (UIDs and domains obfuscated):

fetchmail: starting fetchmail 6.4.37 daemon
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server4.com: SSL connection failed.
fetchmail: socket error while fetching from [email protected]@server4.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server3.com: SSL connection failed.
fetchmail: socket error while fetching from [email protected]@server3.com
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server2.com: SSL connection failed.
fetchmail: socket error while fetching from [email protected]@server2.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server1.com: SSL connection failed.
fetchmail: socket error while fetching from [email protected]@server1.com
fetchmail: Query status=2 (SOCKET)

In principle I should be able to report the exit node somewhere. But I don’t even know how I can determine which exit node is the culprit. Running nyx just shows some of the circuits (guard, middle, exit) but I seem to have no way of associating those circuits with fetchmail’s traffic.

Anyone know how to track which exit node is used for various sessions? I could of course pin an exit node to a domain, then I would know it, but that loses the benefit of random selection.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Big or small, we make decisions every day. Rules, policies, processes, templates, etc.

How do you document the process and results of your decision making and track changes?

To give you some background, a lot of departments discuss certain topics every two weeks, but nothing is written down - it takes a lot of time and worse, some decisions change every two weeks.

I've been trying to fight this battle with OneNote atm and was inspired by some software change management frameworks (wild mix of things):

Each decision/problem gets a new page.

• What is the question/problem?
• Why is this decision necessary?
• What are the pros and cons?
• Which departments need to be involved? What is the scope? (department, site, country, continent, international, etc.)
• What are the alternatives and consequences of not implementing?
• plus changelog
• plus metadata, such as parties involved, who proposed it, dates, etc.

Still a work in progress, but it is a mix of RFC, ADR, and some other frameworks.

How do you handle that?

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Apparently some company I do business with shared my data with another corp without me knowing,

WTF?

then that corp who I did not know had my data was breached.

WTF?

Then the breached corp who could not competently secure the data in the first place offers victims gratis credit monitoring services (read: offers to let yet another dodgy corp also have people’s sensitive info thus creating yet another breach point). Then the service they hired as a “benefit” to victims outsources to another corp and breach point: Cloudflare.

WTF?

So to be clear, the biggest privacy abuser on the web is being used to MitM a sensitive channel between a breach victim and a credit monitoring service who uses a configuration that blocks tor (thus neglecting data minimization and forcing data breach victims to reveal even more sensitive info to two more corporate actors, one of whom has proven to be untrustworthy with private info).

I am now waiting for someone to say “smile for the camera, you’ve been punk’d!”.

(update)
Then the lawyers representing data breach victims want you to give them your e-mail address so they can put Microsoft Outlook in the loop. WTF? The shit show of incompetence has no limit.

(update 2)
It’s interesting to note that the FTC as well as a data breach lawyer both recommend that data breach victims take advantage of the free credit monitoring. I’m a bit surprised. As much as I want to cause the breached company to incur a cost for that subscription, it seems like a foolish move to put my sensitive info in the hands of yet another dodgy 3rd party.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

im aiming to make a chat app secure as theorhetically possible as a webapp. for transparency its open source. id like the user experience to be as close to possible to a regular chat app. its important to note; there are limitation with p2p and webapps such that messages cant be sent if the peer isnt connected.

to keep this post brief, please take a look at the readme. it has all the information and links.

i dont think its ready to replace any app or service, but id love to get feedback on what you think would make it so you would use it more than once.