Paco Hope @paco@infosec.exchange

This is an absolutely epic thread about racking and stacking. I love it. https://twitter.com/QuinnyPig/status/1087472201492643840

@June I've seen this before. But the preview in my browser made it even MORE intense. Because it looked like the title of the show was "DYING UP".

@oxpi that seems more like an accomplishment than a complaint. :)

Here's how my #Monday is starting. How's yours?

@jerry I use the free version. You literally just run 'iredmail.sh' on a bare, empty system and it does all the magic. You don't have to pay. But the money, if you pay, gets you a web interface. Let's you delegate permissions. (e.g, Sara can admin example.com, but not example.net). I have to do direct SQL into MySQL (using phpMyAdmin or similar) to edit aliases, forwarding, etc. But the WebMail SOGo is amazing: server side filter rules managed on the web. Password changes, etc.

@jerry I hear ya. I have self-hosted email since 1998 or so. It gets harder every year. At this point I have a really nice house of cards that works most of the time. But now I am very tempted to pay the $500 to the guy at iredmail.org to just have his scripts configure and build the email daemons for me. Once the house of cards is built, I can administer it just fine. But building the house and having all the daemons configured compatible and so on—life is too short.

@ryen "Alexa, put brain bleach on the shopping list." I only watched 60 seconds of this, and I have regrets...

I started visualising my #CloudTrail events on #AWS using #ElasticSearch. I blogged about it and put the code on Github.
Blog post: https://blog.paco.to/2019/cloudtrail-to-elasticsearch/
GitHub: https://github.com/pacohope/cloudtrail-logs-to-AWS-Elasticsearch-Service

@retrohacker @rtwx @Matter @grainloom And here’s the article explaining why TVs are cheaper than ever. With smart TVs, the profits aren’t in the purchase price, the profits are in the data smart TVs collect on you. https://nordic.businessinsider.com/smart-tv-data-collection-advertising-2019-1

@retrohacker @rtwx @Matter @grainloom I agree. Fundamentally the business value of spying on customers is subsidising the cost of really big screens. If you accept a screen with surveillance tech and a bunch of "smarts" you can't disable, you can get it cheaper than if you don't.

@rtwx @Matter @grainloom @retrohacker "Smart TV with no smarts" == HDMI computer monitor. A "TV" these days is an HDMI monitor with some tuning hardware built in. The "non-smart" choice is buying the monitor and the tuner separately. Something will have to have some smarts, a TV receiver, and a network connection. E.g., a DVR. But there's no need to put those smarts into the screen.

I just noticed that, now that I migrated my mail server to #AWS and #EC2 and assigned an ipv6 address to it, I'm actually accepting #SMTP connections over #IPv6! Yay.

@msmouse I'm confused. Don't most people have simple door locks on their houses? Isn't that all the protection most people have on their front door? Perhaps you and I have different ideas of "protection"? Or maybe we're thinking of different kinds of doors (data centre versus house)? I've never used anything on any door to any house stronger than an ordinary deadbolt.

@msmouse It's not that the things you said aren't possible and aren't easy. It's that a database of photos of keys with the street addresses of the doors they open makes new and even EASIER attacks possible. I don't have to drive to a wealthy neighbourhood and look at a front door to know what lock to buy and copy. I just search the DB for houses in the right post code, decide if I think they have good stuff, then print a key and find out.

@msmouse I don’t follow. If you know I have brand X or Y you know what keys and pins it takes. You can pick the lock or you bump it or whatever. BUT those are all riskier than just making a key and using it. Especially if you’re sure it’s the right key.

Not learning a thing from 3D printing of TSA keys or all the data breaches that have happened in the last decade, a firm has created photos-of-keys-as-a-service. It is a bad idea beyond bad ideas.
This year's announcement. https://www.bbc.co.uk/news/technology-46795616
Why that's bad.
https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/

@ohthehugemanatee Funny but I just did the opposite. After Spectre and Meltdown my on-prem hardware was dog slow. Everything is just painful. So I migrated nextcloud to EC2. I still have a Synology on-prem for mass storage that I care about. But I use nextcloud from outside the house as much as inside. So EC2 was a better choice for my use cases.