mark

joined 1 year ago
[–] mark@infosec.pub 2 points 1 month ago

if you want to type the key yourself each time this could work. I'm not aware of an app that does this but it wouldn't be too hard I don't think.

[–] mark@infosec.pub 8 points 1 month ago* (last edited 1 month ago) (5 children)

if you're encrypting at rest you also have to consider where there encryption key is being stored.

if you're storing the encryption key plaintext on the same drive as the data, there's not much of a point in encrypting.

a TPM/HSM could solve the issue, depending on how far down the rabbit hole you need to go.

EDIT: You could also encrypt the disk of the VM/Server hosting the app. similar situation.

[–] mark@infosec.pub 1 points 2 months ago

For desktop windows this is not true. A remote sign in will sign out the local user and vice versa

[–] mark@infosec.pub 16 points 3 months ago (2 children)

Cloudflare and Crowdstrike are different companies.

[–] mark@infosec.pub 1 points 5 months ago (1 children)

I think you may be referring to jjjacksfilms,

https://youtube.com/@jjjacksfilms/videos

[–] mark@infosec.pub 7 points 5 months ago

Invincible. The comics are great, but I think the show dramatically improves a couple characters

[–] mark@infosec.pub 2 points 6 months ago

No you can totally modify mail headers anytime you want to, just be prepared to get mail rejection if you're not following current mail security best practices.

I'd recommend just renting a cheap vps from vultr or something, then you can setup your mailserver to send from anything you like. That's how my mailserver works. I pay like $3 a month, and its plenty of space for a single user mailserver (i have like 3 mailboxes)

I did go through the work to setup dkim/dmarc/spf. Took a weekend, but wasnt too bad. My mail is received by gmail yahoo and Microsoft. I imagine doing the same with onion addressing would be complicated.

[–] mark@infosec.pub 1 points 6 months ago (1 children)

Maybe i need to further clarify that none of this is in the email RFC. Email is very old. These are new standards that everyone has agreed to on top of the RFC

[–] mark@infosec.pub 1 points 6 months ago (2 children)

That is 100% what im saying, yes. The sending server needs to sign all messages with a private DKIM key where the public key is in a dns text entry. Then the reverse dns lookup for the mailserver needs to match the SPF txt record. Then your DMARC record has to match the dkim and spf settings.

Ive set this up for exchange at work as well as my own personal mailserver, which is just a debian server running postfix and dovecot.

When you want to use gmail as a mailserver for your own domain, you set these three things up so that your messages arent all blocked.

Keep in mind, you do not need these to simply send and recieve messages, but if you want to interact with the rest of the world you do. Email is too easy to spoof, so everyone has agreed on these protocols for authenticity.

[–] mark@infosec.pub 1 points 6 months ago (6 children)

Because dmarc, DKIM, and SPF validate the domain against the sending server, not the address.

When i send from noreply@ at work, it passes dmarc, DKIM, and SPF, because the recipient mail server validates the message came from an authorized mail server for the domain (mosty based on dns entries).

Without that validation, you can certainly still send emails, but most clearnet mail hosts will drop your messages. Google, Microsoft, and yahoo at the bare minimum will

[–] mark@infosec.pub 1 points 6 months ago (8 children)

How do you expect to receive replies from clearnet users, or are you okay not receiving replies?

Also most mail hosts these days toss emails that dont match dmarc/dkim/spf, which would be especially hard to do for an onion email

[–] mark@infosec.pub 1 points 7 months ago

Are you using defender for o365? If so, usually uou can get a copy of Any rejected messages at security.microsoft.com and get more info from the message explorer

 

Is the nvidia shield TV still the go-to box for streaming content to your TV?

I don't really need much, just something that can pick up jellyfin. hulu/HBO/etc. is a bonus

view more: next ›