S1E18: "Pr0n and Nigerian Princes"
Posted
Comments
0
| Recorded (UTC) | Aired (UTC) | Editor |
|---|---|---|
| Format | SHA256 | GPG | Audio File |
|---|---|---|---|
| MP3 | click | click | OGG | click | click |
Using VPNs in a corporate use case and surface discussion on running your own email server.
The birth of Jthan’s “VPN noise”.
News
Starts at 5m42s.
- A story of quitting a one-man IT department
- This probably should have been a discussion topic…
- Snowden designed a phone case that “detects/prevents monitoring”
- > inb4 snakeoil
- Adding a shebang to files in Vim automatically
- This also probably should have been a discussion topic…
- Samsung has requested the cessation of sales for Galaxy Note 7
- EFF fights against the Rule 41 changes
Notes
Starts at 16m40s.
Jthan was drinking Chai High from Avery Brewing Company. Paden was drinking Grant’s Family Reserve Whisky. I was drinking Knob Creek (once again).
- We shortly recap BSides DE 2016.
- VPNs (Virtual Private Networks) can be a HUGE asset to your company.
- The Microsoft VPN, or PPTP, has been around for a looong time, and has some major security issues.
- macOS and iOS10 don’t support PPTP (source).
- The Linux version of PPTP server is called Poptop, and the client is (aptly-named) PPTP Client.
- IPSec is pretty popular. Windows has native L2TP / IPSec support, as does Mac OS X/macOS, iOS, Android, etc.- just about everything supports L2TP/IPSec. The Cisco “variant” is IPSec IKEv1 with XAuth extensions. Linux has several different projects that support IPSec and various iterations of it (FreeS/WAN (now defunct), Openswan, IPSec-Tools (including e.g. racoon)- which is what Android uses, and Strongswan. I recommend Strongswan).
- Windows users (and Linux users…) can use ShrewSoft for IPSec if they need drop-in support for Cisco-style IPSec.
- Microsoft’s PPTP replacement is SSTP, and if you want to run an SSTP server on Linux you’ll need to use SoftEther. Thankfully, the standalone SSTP Client for Linux feels a lot cleaner.
- But OpenVPN is, by far, my personal favourite. (The community/opensource version also has a pretty fantastic HOWTO.)
- USE SELECTIVE ROUTING WHENEVER POSSIBLE, don’t push a full default route to your clients!
- Jthan also mentions Tinc. However, it is not viable for a company VPN.
- Email is omnipresent and messy as hell. (39m24)
- Email has been around for a LONG. TIME. But is starting to show its age.
- Email has a TON of RFCs.
- I mention POP1 (RFC918).
- MISCONFIGURED EMAIL SERVERS CAUSE SPAM. DO NOT RUN YOUR OWN MAIL SERVER IF YOU HAVEN’T DONE A TON OF STUDY AND TESTING FIRST.
- If you choose to, use Postfix and Dovecot.
- Learn the ins and outs of, and set up:
- SPF
- OpenDKIM
- DMARC
- Make sure your PTR/rDNS records are correct
- SpamAssassin…
- and the ClamAV plugin
- and ALWAYS AND REPEATEDLY TEST TO MAKE SURE that you are NOT an open relay!
- ArchWiki’s Postfix article and Dovecot articles (and the suggested articles on the right sidebar) are immensely useful, as are the Gentoo articles.
- This thread has some useful information as well (but be forewarned- it has a LARGE amount of noise/signal).
- The SwiftOnSecurity thread on Twitter is here.
Sysbadministration Award
In this segment, we highlight system administration mistakes. Think of them as the IT equivalent of the Darwin Awards. (56m18s)
A bank is enforcing 8-digit passwords. Yes, you read that correctly – DIGITS, not characters.
Errata
- Jthan fixed his mumble… :P
- Paden refers to “Rule 43” when we’re discussing the EFF rule 41 thing. He meant Rule 34. (Obligatory.)
- srg from our IRC channel has pinged us as let us know that he wrote an article for postfix/dovecot as well. And he totally reminded me of Sieve, which is super handy for giving users the power to perform their own filtering.
Music
| Track | Title | Artist | Link | Copyright/License |
|---|---|---|---|---|
| Intro | click | Outro | click |
Author
r00t^2
Categories
Season One
Comments
There are currently no comments on this article.
Comment...