Jump to content

ezhik

Members
  • Content Count

    323
  • Joined

  • Last visited

Community Reputation

43 Good

About ezhik

  • Rank
    Advanced Member

Converted

  • Gender
    Undisclosed

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I got a lot of respect for "Spaceinvader One". At least buy him a beer.
  2. I've never seen anything like that before. A wtf might be appropriate, pardon my french.
  3. No argument here. Cosmetics/Convenience category. Low severity.
  4. This should fall under a maintenance release as this impacts core functionality.
  5. Would be nice to see this properly fixed in 6.7.3 rather than hacking up a solution.
  6. I guess the concern here is in case of a really targeted attack where somebody exploits for example an externally accessible web-based docker and gets a reverse shell on a server as root and then gets access to the passphrase to decrypt master keys for disks. But even then in order to actually use it - they would need to either have physical access or leverage IPMI or iLo to actually reboot the system and boot to an ISO and access the drives for data exfiltration. We are talking about some next-level espionage right here. So this type of scenario would be really targeted. Personally, if somebody steals my drive and manages to decrypt it - they would definitely return it back to me with an apology note after seeing my nudes. It all depends on what you are protecting. There is always the right tool for the job. In this case, for somebody who is security paranoid, this may not be it. May be a standard linux raid6 (mdadm) with encrypted lvm would be a better fit then. All comes down to security vs convenience. The more functionality you add, the more security you trade.
  7. Alright, you get the point. You found something that was raised before in the encryption discussions, but you raised it loud. However, I do say 'thank you' for reporting this. I agree, you both provided decent solutions, but do note that even salted password hashes have to be securely computed using proper sources of random data and the salt cannot be user-controlled input, something that cannot be easily guessed and derived. We all know about rainbow tables and how to generate them based on common and re-used usernames. That's great! Check out opnsense and suricata Also for Qubes, you can run Windows VM and AppVM (Seamless Apps). Check it out, if Snowden uses it, so can you - I've been running it for awhile as well! Tinfoil hats! Now this part man, why so arrogant, you are better than this - you are a professional. Ping them directly and workout a fix, you can be part of the solution. You can even test it first!
  8. Oof, this got blown out of proportion. First of all, thanks to @limetech for even introducing encryption support, this helps us ensure our data cannot be recovered (whenever the RMA'd drives get re-purposed) and continuing to support and enhance its functionality. @BennTech Let's be mature about this. Your feedback is of course appreciated, but it needs to be constructive. I see that you have some knowledge in the infosec world and that's great, but please, don't be so condescending on the devs. I am sure you are not sitting behind a pfsense with IDS and IPS configured (such as suricata, snort or even sophos utm) and you are not writing your own snort custom rules either. Your laptop is not running Qubes OS with segregated domains for your personal emails, social media and work related access. You are not using FIDO2/U2F for MFA nor are you using GnuPG for secure communication. And if you are, hats off to you good sir. Regarding LUKS, I am sure you have seen this: https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811 (Nothing is bulletproof) Additionally before bashing on devs, they do take security very seriously. Just look at the security sub-forum. Security is a shared responsibility and you are the one who is also responsible for ensuring your system is configured in a secure way as well as your environment. Yes, your environment as well. If we are talking about security practices then there are many security controls you can implement: - Disable services you do not need, you don't have to run any dockers, just use storage - Don't expose unraid or its services externally - Implement fail2ban to prevent bruteforces - Run your vulnerability assessments and manage it (OpenVAS/Nessus) - Rotate your passwords every 30 days - Randomly generate your passwords with at least 24 characters - Use VLANs to segregate network traffic - Don't use lower versions of SMB - Don't use NFSv3 - Lock down physical access to the server - Install Video Cameras - Review access logs - Disable IPMI if you are running supermicro - Disable hyperthreading if you are running intel chips - Don't use unecrnypted connections (http), instead use nginx as a reverse proxy for encrypting all traffic (certs required) - Setup centralized logging using rsyslog to splunk or elasticsearch (ELK) - Setup appropriate auditing accessing the filesystem and triggers - And many others If you work in infosec then you should know about risk assessments and risk management as well as how convenience and security comes clashing when you need to implement BCP (Business Continuity Planning) once your BIA (Business Impact Analysis) is done. You've raised a valid point that convenience in this case should be optional and @limetech agreed to address it in the follow-up release. But are you that paranoid that you don't trust the way you setup your internal network, do you not have enough traffic filtering setup to spot a data extraction operation through an ICMP or a DNS tunnel? Judging by your comments, you are a pro at this In either case, let's improve things. Everybody can be a critic, remember that. And remember, if somebody wants to pwn you - they will, there is always a way.
  9. If I don't get one, can I buy a few? I have 3 unRAID servers.
  10. I am aware how RDP works. Unless something has changed over years, RDP & 3D acceleration was not something that went well together. If what you are saying is true, that means you can even do light gaming over RDP. That's impressive.
  11. How are you using GPU 3D Acceleration over RDP?