|Previous Episode||Next Episode|
|S0E10: "Jthan Tries to Edit"||S0E12: "It Hurts when IP"|
|Recorded (UTC)||Aired (UTC)||Editor|
|2015-07-03 04:42:42||2015-07-13 03:23:10||brent s.|
“InfoSec Speaks!”- where I get some input from the InfoSec crowd via Twitter. We also talk about running your own router box, briefly talk about VPNs, IPv6, and a really stupid decision MSFT made with Windows 10.
- I don’t see anything about individually shipped packages per RMA shipping policy Seagate’s
- Jthan mentions the importance of a good toolkit for your cabs. I’d recommend the following:
- Telescopic magnetic grabber
- something like this
- a good precision toolkit such as this or this
- a beefier screwdriver set
- and, if you maintain your own cage/cabs as well, these are pretty dang handy.
- cable management is very important, so don’t underestimate it
- labeling your stuff is also SUPER important.
- and don’t forget your livecds! (We’ll be doing an episode on this coming up, so get your USB sticks and optical drives ready!)
- I searched but couldn’t find any purse that explodes into nanchaku. :(
- Windows 10’s Wi-Fi Sense is stupid. And dangerous.
- iproute2 obsoletes net-tools
- and ARIN is indeed out of IPv4 allocations
- I freakin’ love Shorewall
- Shorewall has super awesome rate-limiting
- And its documentation kicks ass
- Internet routing protocols such as BGP, RIP, OSPF, and (E) IGRP are only needed if you need to be your own border/gateway router directly connected to a backbone provider.
- As mentioned, a RIPv1 vulnerability recently announced
- For Wireless functionality, you can either:
- Throw some WLAN cards in your routerbox and use hostapd (VERY limited range/coverage)
- Get some old OpenWRT – compatible devices and run them in bridge mode, and run a cable backbone to the switch connected to your routerbox, or
- (My personal recommendation- and no, I’m not being paid) Ubiquiti’s Unifi-AP system, switched into a PoE switch (it doesn’t have to be Ubiquiti, but they make good stuff at an affordable price), and connect that PoE switch into your normal backbone switch
- the APs are even fully OpenWRT compatible themselves!
- I mention that PacketPushers published a list of free reference books
- And my personal recommendations:
- The Pink Book (named after their 2nd edition)
- NoStarch Press’ TCP/IP Guide (and the author does indeed provide it online for free)
- I fail to mention it specifically, but the LARTC HOWTO is free and a great resource as well.
- Also failed to mention but a fantastic resource, the
RUTEis great for Linux beginners (it seems the site no longer offers the book. It’s under a distributable license, though, so we’re hosting a copy).
- IPv6 has many of the same concepts as IPv4, but this is a good start to learn the difference.
- You can test a website’s IPv6 compatibility here, here, here, here, and many others
- You can test your local connection here
- And also check out HE’s TunnelBroker.net for an IPv6 tunnel. They also offer IPv6 certification. It is, indeed, free.
- Sixxs also offers free IPv6 tunnel brokering and education.
- Also, NIST has changed the requirements for Random Number Generation.
- Shorewall’s documentation talks about the ‘Roadwarrior setup’ (for those that aren’t aware, this is what I mean by “roadwarrior”; not this.)
- PPTP sucks, even when running on GNU/Linux.
- Not only is MS-CHAPv2/MPPE encryption and auth broken, it’s broken hard. Like, really hard. And we’ve known this since 1998. STOP USING PPTP.
- IPsec (The GNU/Linux implementation is StrongSwan / OpenSwan)
- The “IPSec” part is (sort of) like PPTP’s MPPE, whereas L2TP is kind of like the PPP/MS-CHAPv2 implementation, if comparing to PPTP
- Except, you know. It doesn’t suck.
Many thanks to all that contributed input! It was really great to hear from them!
NOTE: Some of the following have been modified from their original form to be more easily read in US English. I have included a link to the original tweet for your reference.
If you could give one piece of advice to system/network administrators/engineers, what would it be? (12:49 AM – 2 Jun 2015)
These are the replies we got.
Make sure your response plan is proactive rather than reactive. – [https://twitter.com/mzbat @mzbat], 7:16 AM – 2 Jun 2015
Learn how easy antivirus is to bypass, how weak passwords are, common social engineering attacks, … try to understand the concept of credential theft and view rights from an attacker’s perspective. … e.g. “If I can control your box, I may as well have all your privileges.” – @scriptjunkie1, 1:57 PM – 2 Jun 2015, 2:11 PM – 2 Jun 2015, 2:13 PM – 2 Jun 2015
- When discussing OpenVPN, I say it supports both tunneling and “peer-to-peer”; I actually meant TAP and point-to-point (“Bridged”-mode). Pretty similar concepts, but there are differences. See here and here.
- When discussing PPTP, I mention the weak security of MS-CHAPv2. That’s actually the authentication method; the encryption is MPPE (but they’re pretty closely intermingled, so potato/potato).
|Intro||Exit the Premises||Kevin MacLeod||click||CC-BY 3.0||Outro||Rhinoceros||Kevin MacLeod||click||CC-BY 3.0|