Kid_Thunder

I see some comments recommending wordpress but wordpress is a security problem, especially if you’re using 3rd party plugins. It is such a bad problem that their are ‘wordpress security’ applications but even then wordpress sites get hacked all the time. If you are going to use it, it is best to let some other host handle it for you if you don’t know a whole lot about what you’re doing.

There are many, many other content management systems out there. Some are lighter than wordpress and some heavier. They are all about posting and managing content. Most of them have some sort of user and authoring system. Once you’re webserver is set up, many are written in a mixture of php and python so setting them up is generally drag and drop with either minor configuration file edits or wizards. Many of them have sections that you can set up using a labeling/tagging system. Most of them allow you to have the ‘stories’ as private or draft where you have to actually click publish before people can view them. Some have user roles systems where you can limit viewing and even editing between different roles for sections.

Generally, once their setup is done, they are point and click to do everything.

Here’s a nice list of FOSS CMS’ (which includes Wordpress of course).

Just to be clear, if you’re in the US, you 100% have copyright protection as soon as you put pen to paper.

Depends who owns the car or who has the loan out against the car. If you own the car and hire the driver, you insure the car and put them on the policy as the primary driver.

Sounds like you have nothing listening on port 80 that resolves for your domain for Let’sEncrypt to verify that you own the domain. You need a webserver listening on port 80 and that Certbot can access if you’re using the http method.

Basically you’re forwarding traffic to port 80 but there’s nothing on port 80.

It is a little more complicated than that. Yes consumers are trained to expect sales. It drives an increase in purchases. However, JC Penny is a sort of mid retailer. It isn’t high-end and it can’t support price competition to the bottom. Much like Kohls that basically lives on having things constantly “on sale” while all they really are doing is pricing below MSRP which is meaningless, especially when it is specifically designed to be underpriced.

They didn’t simply make “$29.99 + tax” into “$30, tax included” but they removed MSRP markings that were higher than their ‘sale’ prices. They removed the “.99” from prices and generally lowered them to under the MSRP always though not necessarily down to their ‘sale’ prices to overall bring prices down everywhere.

It’s “Everyday Pricing” initiative to lower overall pricing couldn’t compete with stores specifically designed to keep prices down and it certainly didn’t have the reputation of being upscale for any merchandise. Therefore, the only way to survive is to make consumers believe everything is on sale, always. Essentially fooling the customer into believing that they are getting a deal on better products for a cheaper price.

If someone wants to buy nice clothes, they will buy nice clothes and pay more for them. Underpricing them could actually hurt sales. If someone wants a ‘deal’ then they are going to go to low price competitors. Mid tier retailers are always going to have a tough problem to solve, unless you fool the consumer.

That marketing gimmick isn’t centralized to just the US or even North America. It works anywhere in the world for a mid retailer.

Perhaps, you believe that this makes the consumers stupid but that would be a universal generalization rather than an US cultural one.

I know shitpost and all that but this isn’t actually true, as in it can’t be verified. It was one small mention in a book (Threshold Resistance) by A&W owner Mr. Taubman. He basically said he wanted to know why his same priced 1/3 burgers weren’t outselling competing 1/4 pounders…from a competitor…that I’m sure you can guess. So, he hired a marketing firm who put together a little focus group in the 80s. Some of those focus group members supposedly didn’t know that 1/3 lb. is bigger than 1/4 lb. burgers.

Keep in mind that there’s no evidence or any firm mentioned and the bias surrounding the author that is writing a book about his experiences including a failed venture.

All we know is it is one man’s anecdote and it has been used for 39 years so far to make fun of Americans for supposedly not understanding fractions.

Depends on if there’s an IPv6NAT and how your ISP converts between IPv4 and IPv6 or actually supports IPv6 straight through. It also depends on your router.

Currently, there’s still some debate since IPv6NAT (NAT66/NPT6/NATv6) isn’t really needed for WAN boundaries for the reasons NAT exists. However, without it you are right on that this will be a problem for the consumer because PCs, IoT devices, printers, circuts or whatever my wife has, etc. could all be exploitable and even worse, you may never know you’re contributing to the botnet.

As an example, I have a global IPv6 on a few on my devices. They can connect to IPv6 if it originates from me but if it originates from them or is UDP it doesn’t route to my IPv6. My router doesn’t care. It’ll route it just fine either way. It would appear that my ISP has me behind one of the IPv6 NATs.

I’d imagine that’s true for most people at home.

NAT provides some measure of security as pure coincidence to how it works. It is not designed or intended to provide security. It does not inspect packet payloads in order to filter them for security. It looks at the header and attempts to route it to an internal IP address (your devices on your LAN) and if it cannot, it will drop the packet because the header will only have the external IP address – the packet has no idea which device it is supposed to go to. Forwarding a port is telling the NAT to assume that when a packet hits a certain port, if it doesn’t know the destination internal IP, forward it to some internal IP anyway.

The reason you can connect to websites, ssh outside, FTP, whatever, is because your connection comes from your internal IP first to some other IP and therefore, NAT knows which internal IP to route those packets to.

Take for example this scenario:

You download some software. It has malware that provides command and control (C2) to someone else outside of your network. A firewall and/or antivirus may be able to stop this and hopefully notify you. NAT will not help here. Furthermore, if you have uPNP enabled (usually it is by default on your router) the malware can forward any ports through your NAT to the compromised device opening it up to bot attacks and the like.

Another scenario:

You want to play a video game with you and your friends and you’re going to host it. So either you manually forward those ports or perhaps uPNP just does it for you. That game has an exploit known by attackers, or perhaps it can just be DDoS’d. Your NAT isn’t going to stop that. Hopefully a firewall will help you here. It definitely will if you set up explicit rules so that if they aren’t your friend’s IPs it will drop them. Though it is possible the game is exploitable and your friend’s are compromised.

Take for example malware has been known to spread via Minecraft.

As I understand it, NAT is a firewall

NAT is not a firewall. NAT does not inspect packet payloads, it doesn’t do anything except attempt to route packets to where they are supposed to go. If the connection originates from outside or it is a ‘connectionless’ protocol, the NAT has no idea which internal IP to route to, so it drops the packet.

NAT provides some security by sheer coincidence and not by design.

In I’d say the first 10 years in my adult career, I definitely hated that. At about the 10 year mark I changed my entire perspective on things. I just changed to the mindset that employment is a two way business decision. I knew that I could leave at any time and I know they can make me leave at any time. So, I became much more independent. I make my own meetings with others when I feel I need to. I only attend meetings I feel like matter, which cuts a lot of them out. I do great work and I specifically build relationships with everyone I interact with. In all of my positions at all of the companies and projects I’ve worked on, I basically cut my manager out of everything. I set my own boundaries and make my own decisions. I will not do something that I don’t want to do. I will not work hours that I don’t see as reasonable for whatever I’m doing and I will have a good work-life balance.

My job has been threatened from time to time but I just shrug and say “that’s your decision but it doesn’t change mine” but I usually have a great reputation everywhere for being the guy that can ‘do anything’ and ‘get it done’. I’ve had directors and once a VP force a rewrite of my manager’s performance of me because I basically tell them I’ll just leave if my performance rating isn’t what I expect it should be from what I produce. It takes about 6 months, sometimes a little longer at a new place to get that sort of political capital for me.

Basically, taking control of my own work-life has made me a lot more money, given me a much better work-life balance (I rarely work over 40 hours a week) and has made my actual time at work much more productive and enjoyable. I’ve empowered myself and it is fucking great.

Most of your direct managers aren’t really going to let you go (except perhaps mandatory lay-offs) if you’re very productive because you’re effectively making them look good and advancing their career. If they do, then fuck’em, you shouldn’t be there anyway because you’ll always be held back and treated poorly for your efforts. You don’t have to actively search for jobs always but shooting your resume out to places from time to time, especially as you build your professional network can be very beneficial. If you have a good offer, demand they match it somehow – either in money or benefits of some type. If they don’t then just take the offer.

When management knows that you can and will leave and you’re productive, it changes the whole dynamic for you at work.

I know some people take the opposite path and do the bare minimum they have to in order to keep the job but I think having control over what you are doing, when you are doing it and having actual leverage in negotiating your pay whenever is much better for you. When they know you don’t need them, they’ll pay you better and just let you do your thing. The 80/20 || 90/10 (depending on how mismanaged your org actually is) rule is real. Be one of the 10 || 20 and show them you know it.

In short, his argument in court is that the lack of evidence is evidence of criminal intent.

The SSH keys don’t help me if I get locked out of a Domain Controller unless you’re using OpenSSH (which is now a native feature you can turn on). In that case you can actually still log into the DC via command line because it authenticates based on authorized_keys and not the LDAP of the DC. I actually do this on the enterprise, not because I may get locked out but because it is just convenient. Granted you’ll have to execute powershell on the command line once in to use the AD cmdlets.

On the other hand when you create a DC now-a-days (Server 2019…I don’t remember if this is asked in the wizard when in Server 2016) you can create a “Directory Services Restore Mode” password which is basically a local admin account on the DC that you can log into only when the DC is booted into safe mode. You’ll be asked to create it when you promote your DC.

Personally I use FreeIPA for my LDAP. I like that I can create sudoers rules from one centralized place and manage ssh keys across all clients. Granted I could just use Ansible I suppose, which is how I update multiple distributions in my network and online but I like that I can just change SSH keys and sudoers from one place easily instead of changing tasks/roles. I also usually run cockpit even on my non-Red Hat distros with SSH keys just so I don’t have to log into everything though it is somewhat limited outside of the Red Hat sphere.

If you don’t want to use ProxMox or some other specialized HyperVisor ecosystem, you can also use Cockpit to manager your VMs along with your Pods. I wish there’d be more attention to it for features because it feels like it could do a lot more.

I also don’t really worry about locking myself out for two reasons:

1. I use SSH keys.

2. I also have a break-glass local account on every system…with SSH keys. If its on your local network, you can use VNC/VM console/Remote Desktop with a local account while only allowing SSH with keys if you’d like. Just make sure if you’re going to allow remote access outside of your network that you never forward the VNC/RDP ports. For SSH when I do this I always pick some random port – never default and never common ones like 2222 to at least keep my logs less noisy from the botnet auto attacks.

For my online VPS’ I use a firewall with geoIP from Maxmind and drop all ports but 443 from the world, except for whatever country I’m in. I drop all packets from certain countries that seem to auto-attack more often than others. I try to drop packets from all known (to me) Shodan scanners. If I’m not traveling I just restrict all other ports to my public IP’s subnet though my IP hasn’t changed for years. For status checking services like StatusCake, I use the “push” method instead using a simple cron job with curl instead of relying on servers around the world checking my ports. In this case, the services just check that my server has successfully hit them within X minutes to be “up”.

As much as he may have a case so long as he didn’t act against store policy and actually attempted to he probably has a case, even in an at-will state.

The problem is that it will likely be difficult to get an attorney to represent him without an actual retainer because these cases usually draw out for a long, long time and are difficult to fight. Unless there’s a legitimate case for a class action, then the chances are slim that anyone can afford to fight the case, even if they ultimately could win because no attorney is going to devote years to this for a ‘maybe’.

The only route there may be a hope of winning here is for him to apply for unemployment and if he doesn’t get it, to appeal himself. He may get that as small of a win as that is.

I lived through Hurricane Hugo. Before it came about, most people didn’t worry about tornadoes much in my area when there was a watch. More people took warnings seriously but a significant amount of people would “know the signs” and go about their day anyway. Hugo hit and devastated everything. Trees through houses and everything. It is hard to describe in a small sentence how much the wooded landscape changed for over a decade but it was common for trees to just be laying down everywhere in the woods. It was now common trails were cut through swathes of logs.

For a time after people would take tornadoes seriously again. Slowly but surely though, you’d see that neighbor that never mows their lawn think the best time to finally do it is when there’s a tornado that touched down near just to show they can defy it. Driving during warnings is one of the worst things you can do because the roads are static and traffic won’t just abide for only you. The road doesn’t just stay clear of obstructions from trees, powerline poles, fences, etc. You can very easily become trapped very quickly.

I think like anything else when people deal with tornadoes regularly, they become complacent. People think about them like they can just see them a bit off and have time but tornadoes will hop around or form just wherever very quickly. Some people’s attitudes become “this happens every year and I survive around 15 tornadoes a year and it doesn’t really effect me much personally, so it’s no big deal really. You just have to know what you’re doing.” when it was just luck all along.

Just clarification here, a NAT is NOT a firewall. It will drop packets originating from outside the network if the ports aren’t forwarded to an IP simply because the NAT has no idea which device on the network to send the packets to. A forwarded port is you telling the NAT to assume packets coming into a specific port should be forwarded to a specific device. It is acting as a security measure simply by coincidence but not by design. Unlike a firewall it will not inspect any packet payload or attempt to make a security decision on outbound packets. It only routes based on the packet headers.

A firewall on the other hand actively will reject or drop packets because it is an Intrusion Prevention System (IPS). This is why if your router has a built-in firewall, your NAT will still drop the packets – because it isn’t a firewall nor is it what is being referred to if you disable it.

Port 6667 is a typical IRC port. It is sometimes used by remote access backdoors for command and control via a channel (chat room basically) on an IRC server, however, if that port isn’t forward OR you don’t have your PC set as the DMZ Host (you should never do this), then you probably have malicious software on your system.

If it isn’t forwarded, then your NAT would drop the packets and Malwarebytes would never see it because they wouldn’t be there. Malicious software can forward ports via uPNP and you should turn that off on your router or router/modem combo. It can also make it through if the connection is starting from inside of your network for TCP, which is the protocol that would be used for 6667 normally.

The free solution I was referring to was my comment about using ControlD, which certainly offers a free service…which is the comment that the other person was responding to.

I run pihole and my wireguard VPN server locks all queries through it, which in turn uses unbound and queries via different providers like Cisco’s OpenDNS, Cloudflare and Quad9. However, I wanted to present a similar offering that also has a free-tier without a query cap for people interested.

NextDNS caps your queries per month on the free account. ControlD doesn’t and you can pick a various mix of their public DNS resolvers. You don’t necessarily get the granular control with doing it this way for free that you can get with NextDNS though.

If you do check out these, make sure you click the Secure Resolvers if you’d prefer for DLS/DOQ/DNS over HTTPS instead of Legacy.