!hannah 🦄(@infosec.exchange) @superruserr@infosec.exchange
config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}
Super simple.
Maybe the guide should start with that
Hopefully more people will try this out and make it feasable for others to open up Tor-only instances.
"Pleroma's goal is to empower the people and let as many as possible host an instance with as little resources as possible, the ability to host an instance with a small, cheap computer like a RaspberryPi along with Tor, would be a great way to achieve that."
https://git.pleroma.social/pleroma/pleroma/wikis/Easy%20Onion%20Federation%20(Tor)
How do you protect what you don’t know? You don’t.
Reject this lame cyber dystopia.
We shape things.
Make this world yours.
They don't own you, your thoughts, your work, your life, or your ass.
All you gotta do is reject their bullshit en masse.
Fuck that. Mic check.
Just published a post on how you can set up an open source security scanner ( #owasp ZED attack proxy) for your file transfer server https://www.sftpplus.com/articles/2018/sftpplus-mft-security-scan-post.html which uses HTTP(S) authentication.
You can adapt to fit your own server.
#ff @gilscottfitzgerald for their bio in particular:
> I'm a fan of non-hierarchical organization and a cybersecurity treehugger.
Hello all,
My former career was application development. 4 years ago, when I crossed over to security to help partner InfoSec with AppDev. Due to shortage in manpower I had to concentrate on vulnerability and patch management. Happy to say I get to refocus on AppSec. I still feel like a security newbie. Eager to learn.
#Introduction
#InfoSec
#AppSec
About the only TV I watch is #StrangerThings & #SuperNatural
Enjoy the outdoors #hiking, #kayaking
Some common "mistakes" that can compromise your python projects:
https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
most of them can be automatically detected, early on, by using some tools:
I'm a self-taught #SoftwareEngineer that is now trying to jump into the #infosec industry.
I'm also a #SecularBuddhist.
I want to limit my social media usage to meaningful interactions, and this seemed a better instance than my previous two.
Here are some of my interests:
#glitchart
#pixelart
#netart
#bots
#cyberpunk
#webdev
#decentralization
#infosec
#security
#privacy
#meditation
#buddhism
#coffee
#tea
You can find stuff I've done here:
https://0x4464.github.io
https://github.com/ThomasLeister/mastopurge exists, as a solution to time-limiting existence of toots at least on their originating server.
I am pleased to see data hygiene come up, even if "there's a german word that looks just like an english word" is a pretty hilarious gimmick (despite being accurate; it's more of a thing here).
Heard: "In terms of the cyber"
Actual: "In terms of the cipher"
Good in-depth writing: "AWS Privilege Escalation – Methods and Mitigation" by Rhino Security Labs. Covers 17
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
They also make exploits / tools available on their Github https://github.com/RhinoSecurityLabs/Security-Research
----
Excerpt:
This post will cover our recent findings in new IAM Privilege Escalation methods – 17 in total – which allow an attacker to escalate from a compromised low-privilege account to full administrative privileges.
you don't need an internet connection to build a distributed social network with Pleroma. you can go off the grid, and have a fully autonomous social and communication infrastructure, just on a mesh network with some raspberry pis, and connect it to the internet if you want to or not.
that's possible right now.
in a nutshell, it's about autonomy. it's about social media autonomy for every person on the planet. all 7.6 billion of us. nobody else telling us to do, what to say, and nobody else forcing us to see things we don't want to see.
this means Pleroma is being built for an entirely new scale of fediverse: one with billions of nodes. it's also why Pleroma supports alternative transports such as TOR and I2P out of the box.
it also is a major differentiator between Pleroma and Mastodon. in the Mastodon model, there's maybe a few million islands which host a few thousand people each. to contrast, in our model, everyone who wants to host their own instance does so. that means everyone can choose to have total social media freedom.
but it's not just social media, we also intend to use the same underlying tech to enable real-time communications with the same capabilities as the social media side of things.
and it's universal: different frontends for different preferences. like Mastodon but don't have the resources to run it? use Pleroma with Mastodon frontend and apps. like GNU social? Pleroma's default frontend was modelled after it. like diaspora* but want to talk to your fediverse friends? use Feather. like the alternative Mastodon frontends like Pinafore and Brutaldon? they work too.
hate spam and harrassment? we have a mostly as yet untapped framework called MRF which can be leveraged to automate moderation of an instance.
want to modify it? drop by #pleroma on freenode and we help with that too.
(or consider moving to a different, cheaper host)
Soliciting suggestions:
I'm going to be running a meeting to go over enterprise risk assessment w/ exec management. I've worked w/ them successfully for years in other realms, so I know the players & styles, but for some reason I can't seem to get much out of these meetings. What would others make sure they impart on c level & try to get out of the meeting?
@yuki_the_maven Another template is the SIG Shared Assessment. Not free.
Depending on the nature of the org & how much you like reading, these may be of interest:
PCI DSS v3.2.1 https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
Reading a few tweets that redteam is actually hard, that the attacker doesn't have an advantage. Well yeah... but blueteam is also terrible at metrics. You could never know if you have been pwned and live with it. Both jobs can be extremely frustrating and equally hard. https://t.co/0jHn3lKDg5
