• 0 Posts
  • 109 Comments
Joined 3 years ago
cake
Cake day: June 7th, 2023

help-circle
  • All of the above.

    Is it that ISPs are being paid by tech-bros to assign them these IPs?

    Bullet Proof Hosting is a thing. Some ISPs basically advertise to criminals about their ability to evade take down orders and unwillingness to work with law enforcement. So, some infrastructure ends up on these devices. However, the IP ranges from these services often get discovered and are added to public reputation and block lists.

    Along side this, cloud providers are pretty bad about policing their networks. On my own home server, I have blocked much of the Digital Ocean IP space, as it’s home to a lot of scanners, bots and other malicious traffic.

    Is it that residential devices have been hacked /contain malware that does this?

    This happens, a lot. The Mirai Botnet thrived on compromised home routers. People are pretty bad at updating their devices and many SOHO routers ship with some pretty bad vulnerabilities. It’s only a matter of time until someone finds an unpatched or misconfigured router and adds it to a botnet. People also get phished or install trojans all the time, adding to botnets. Darknet Diaries just had a fantastic episode on the Bayrob malware, part of which was turning infected machines into a custom botnet.

    Is it trivial for companies to assign themselves residential IPs?

    Some ISPs just look the other way when they get reports of malicious activity on their network. Also, attackers can force a DHCP refresh and just get a new IP when the old one seems blocked. Getting one in the first place is often as simple as signing up for service and/or compromising someone’s home PC and using it as a relay.

    Paid volunteers are doing this for AI companies?

    This probably happens. Afterall, we’ve already seen a company selling an AI product which was just workers in India.

    Obviously this is a problem because one can rotate / cycle through residential IPs and if I aggressively block each offender in my logs permanently, then the next person assigned this IP who may be a legitimate user will be unable to access my site.

    Look into Fail2Ban. This program monitors your logs and will ban IPs automatically based on criteria you set. This can include specific HTTP requests in your web logs. The ban can be permanent or can be time limited. For example, I have a container running in a cloud provider which I use to proxy requests through my ISP’s CGNAT setup. There is an NGinx reverse proxy running there and I have fail2ban watching the access log. If certain request strings are seen, the sending IP gets dumped in a permanent jail. I also have it scanning the sshd logs and banning IPs which fail to login 3 times within a short period.

    It’s far from a silver bullet, but it’s something which should be running on any web facing system. Attackers will always be rattling the door knobs. There is no reason to let them keep rattling away.




  • Thanks for sharing.

    But, please stop using the curl command piped into a terminal pattern. Malicious actors have been abusing the fuck out of this pattern ever since the idiots at Anthropic decided that would be the official install pattern for Claude. I’ve been cleaning up infections based on people just blindly running shit like that constantly over the last couple months.

    Folks, never run a random script from the internet, without being sure what you are actually about to run. If using AUR packages is considered risky. Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.


  • One of the traditional ways to do this is to stand up a reverse proxy (e.g. NGinx) That then sits on ports 80 and 443 (you’ll want TLS for NextCloud) and forwards traffic to those applications. If you are using docker for everything, you can have a back-end docker network where the NGinx container forwards traffic to the PiHole and NextCloud containers. And since each container is its own entity, you don’t need to worry about mucking about with the ports for the different services, they can each have ports 80/443 on their own container and you don’t need to worry about forwarding those ports from the host. Though, if PiHole is running on the hardware and not in a container, this can complicate things.




  • The just stopped working was the client stopped syncing?

    The client doesn’t seem to detect new photos as they are created/taken. If I manually upload an image from my photos folder, it syncs just fine. Files in other folders seem to sync just fine. But, photos and videos just never even try to sync.

    NextCloud decided to stop allow private made certificates with its client in 2025 and its what made me switch.

    This hasn’t been an issue for me. I pay for a domain and have a certificate issued by Let’s Encrypt. The only certificate errors I get are when I refresh the certificate every 6 months, and that’s just the client asking me if I want to trust the new certificate.

    Syncthing

    I had looked into this a while back, but it seemed to be more of a point to point solution and not a client-server system. I was aiming to have an authoritative server with everything and clients (both phone and desktop) able to pull the needed/request files. I also like the ability to share via a web link when needed. Am I wrong in that understanding?


  • I currently use NextCloud, but I have been looking to move away from it. My main use case is for syncing photos and videos to the cloud from my phone (Android) and this used to work flawlessly. But, some time in early 2025, it just stopped working. I can still manually upload files and sync still works for other folders (e.g. Documents) just fine. But, photos and videos just won’t sync automatically. Not sure if there are other options which would work better, but NextCloud on Android just seems to be broke.


  • LinkedIn is basically a public resume. Using it for anything more demonstrates that you do not have a basic grasp of privacy or security. As such, there shouldn’t be anything up there which is all that bad to have leaked. Sure, if the password database gets dumped, rotate your LinkedIn password (it should already be unique, so no worries about it being reused elsewhere). And having an email address get added to every spam list everywhere kinda sucks. But, what else is the attacker going to get, my name and work history, which are already public on the site?

    I mean, yes LinkedIn should be raked over the coals for shit security practices. And we really need something like the GDPR here in the US to actually do that. But, I’m also not going to get terribly worked up about my public CV being leaked. The leak is kinda redundant.



  • Microsoft’s partner portal website mysteriously said his account had been deactivated, without specifying why.

    My money is on Microsoft’s AI based detections causing false positives again. I spend way too much time chasing ghosts from Defender. Their machine learning based signatures are especially egregious. You get an alert with a name like “Win32/Wacatac.b!ml”. That last “ml” bit denotes that it’s machine learning based. And then you get fuck all to help you determine why the alert fired. Sure, it might actually be a trojan. More likely, it’s a false positive. But who knows, because Microsoft won’t provide enough information to perform a reasonable analysis of the binary.

    And MS has been pushing CoPilot hard. It’s in everything and it’s happy to slop up answers for you. The accuracy of those answers though can be a bit spotty. I’d certainly never turn it loose on tools which can have business impact. But, I doubt Microsoft has any such reservations about letting CoPilot slop all over third party devs.







  • The uproar is the same uproar that has always existed when government overreach threatens privacy. The question should never be, “why are you fighting this?” the question is, “why is this needed?” And the answer is that it is not. It’s yet another mnaufactured moral panic which is being pushed by the folks who want to destroy privacy. Some want that destruction for the privacy so that they can spy on and control others, the rest are dimwitted fools who believe that they can give up privacy to obtain some small measure of security. They are wrong and in the end will have neither privacy nor security.



  • This one is a mixed bag. KYC regulations are very useful in detecting and prosecuting money laundering and crimes like human trafficking. But ya, if this data needs to be kept, the regulations around secure storage need to be just as tight. This sort of thing should be required to be kept to cybersecurity standards like CMMC Level 3, audited by outside auditors and violations treated as company and executive disqualifying events (you ran a company so poorly you failed to secure data, you’re not allowed to run such a company for the next 10 years). The sort of negligence of leaving a database exposed to the web should already result in business crippling fines (think GDPR style fines listed in percentages of global annual revenue). A database which is exposed to the web and has default credentials or no access control at all should result in c-level exec seeing the inside of a jail cell. There is zero excuse for that happening in a company tasked with protecting data. And I refuse to believe it’s the result of whatever scape-goat techs they try to pin this on. This sort of failure always comes from the top. It’s caused by executives who want everything done fast and cheap and don’t care about it being done right.