Considering they were using Coinbase, with linked email addresses and drivers licenses, I'm going to say they should rather be banned from any role involving opsec.
As a thought exercise, I'd encourage you to try and have more empathy for those who are less capable.
I went through a somewhat similar experience with my grandparents. Although the scam they fell for was a bit less obvious, it's a hard situation to go through and realize that your loved ones have declined to such an extent cognitively
I am sorry! You are right! I automatically assumed everyone with cryptocurrency understood the risks and benefits, but if this is to become mainstream we need to educate people. I am sorry for making such assumptions about people.
Never understood the obsession of OSI and their insisting to not give any protection for the authors. Authors whether individuals or companies should have the right to prevent their work from being rebranded or sold by others with minor or even major modification.
How many times did it happen that somebody or organization wrote a complex piece of software and published it and found that some companies just rebranded it and even sold their work with little to none added value while the original authors don't even have the right to complain because this is how open source works.
Something like BSL https://mariadb.com/bsl-faq-mariadb/ needs to get more reputation among solo developers and small companies with little to no funding that believe in the power of open source while believing also in having the right of earning a living from their own work.
I am not against forking or introducing modifications, etc.... You can fork it, change it for your use case as you wish, but just don't bundle my work, rebrand it and sell it as if it were yours. I meant my work to be free and I want the legal protection to keep my work free.
That would be the NC clause of the Creative Commons licenses. This is not free / open source software anymore though because you remove the right of redistributing the work or the derivative for a fee, which is arguably desirable for free software to foster. With such a license, you might prevent business models like the one of Red Hat, which also produce a great quantity of free software. So while they make money with your work, you can benefit from this with the availability of free software they built with this money.
If you pick a copyleft license like the (A)GPL, it's right that you allow people to sell your software, but their customers will be able to require the source code under this license and will be able make it available to the world.
Now there are loopholes like the one the company behind the GRSecurity project exploits.
If anything here is not desirable, you'll probably want to use a more restrictive license than a FLOSS one, but be careful with all the possible side effect (people not wanting to use or contribute to a non-free software, licence incompatibility with libraries and the rest of the ecosystem, etc.
I believe that Kubernetes is artificially injected in your setup. You can just run your DNS server on the server and advertise it on the VPN address. You can still address it from anywhere in the VPN.
I did not downvote you but, serious question: is there a need for this kind of snark?
I understand the point that running a kubernetes cluster just for this would probably be hard to justify. But, if you deploy your services to kubernetes already, then this is a nice guide to do so, isn't it?
I find it hard to understand this attitude, especially in a forum dedicated to talk about technology.
But maybe, like in any social network, there is a bias on what is put in front page. And if you have an interesting project, you might want to add an extra layer of complexity and use Kubernetes in order to gain more visibility.
Well, making things intentionally difficult sounds really stupid, but you learn a whole lot in the process, and for a side project geared towards gaining knowledge, this seemed perfect :) And in the process of setting this up I figured a new way to debug my deployments for remote k8s clusters, using kilo. Also sidenote, yes I actually do host a couple other things on my cluster including my blog, so I didn't really want to spin up a new instance just for DNS and VPN
It's also a example of a project where you can learn more about a platform. Yes, it could be run outside of k8s, but perhaps the author wanted to add the extra layer of "difficulty".
Never thought of that. But OP maybe liked tinkering with k3s and kilo. But I believe kilo's best use is for cluster to cluster connection. This use case is a bit artificial in my opinion.
How do you run the server? Create a packer image? Init scripts (or something similar)? Keep track of whether it’s up or not?
For developers who have grown up with containers, kubernetes offers the simplest, most familiar way to deploy a service.
I recently had to setup a factorio server. The official guide mentions downloading the binary and using init scripts to get it running. I tried to debug obscure issues with the binary for a few hours before getting fed up and looking for a containerized image; once I found that, it was super easy to start one locally. GCP offers a “container on VM” feature which I then used to deploy the thing in minutes. The experience felt so easy.
Notice that I did not use kubernetes, just something that can run containers. But if I had more apps to run, most likely I would set up one.
Kubernetes is a godsend and it solves way more problems than it creates. But I just believe that this simple use case is an overkill. OP just wanted a remote DNS server that is addressable within the VPN. You don't really need Kubernetes or Kilo for that.
Sure you can write a lengthy article to describe how to configure all the apps and servers manually. But with Kubernetes, you only need to throw some YAMLs in there and call it a day.
I don't think "using Kubernetes for running VPN and adblocking servers" is overkill. With k3s, you can deploy a Kubernetes cluster on a raspberry pi in one command. Anything that can run on raspberry pi in one command just can't be overkill in my opinion.
It's not artificially injected into my setup. I already host my blog, and a couple other services on my k3s setup, and I didn't want to bootup another server just to sever as a VPN and DNS
What does "trojans at ISPs" even mean? TLS works end-to-end and ISPs can do absolutely nothing to see the plaintext. It's unless the CAs at users-side are manually replaced with fake ones nothing can be done. I've never used Windows since I was a kid but I am sure this is pretty much impossible on Linux for example since adding CAs require root privilege.
Presumably, Germany would have little trouble compelling at least one root CA to sign any TLS certificates they wanted. Just a cursory search shows that Google Chrome, on Linux, trusts, e.g.
> CN = D-TRUST Root CA 3 2013
> O = D-Trust GmbH
> C = DE
There is certificate transparency and pinning and so on, and they would be caught (probably, maybe) if they abused this carelessly and at scale, but in practice, for a small number of targets, it would be trivial to wait for users to connect to a less secured TLS site or even a plain-HTTP site (plenty still exist), and then use a browser exploit as the stage 1, followed by whatever escalation of privilege exploit and rootkit is needed. TLS is really good at preventing always-on dragnet surveillance of everyone's internet traffic, but not a counter measure against targeted nation state level attacks.
Google, Mozilla, et al. should make a commitment to revoke the trust of any CA that is found to partake in behavior like that. Even retroactive revocation of existing certificates shouldn't be off the table if the offense is egregious enough.
It's actually pretty scary seeing just how many CAs are in the list of trusted CAs on any given device. While no government is beyond reproach, I do wish there were a way for me as a user to say "don't trust anything signed by CAs outside of these few countries, since it's most likely a hijack, phishing, or in the rare case that I did try to visit some random site, I can approve it manually."
Browsers blacklisted Kazakhstan government certificate used for MITM which was not even trusted. It is absurd to expect anything less than blacklisting such a CA immediately. Certificate transparency is required for all certificates since April, 2018, so you can't really issue rogue certificate.
AFAIK they used different certificate for MITM. Currently they are using certificate mentioned in that bug to issue certificates for government websites (like https://elicense.kz/ ), so actually a lot of citizens who need to use government services have to install that certificate as a root anyway.
I don't think that they would use that certificate for MITM. They're not fools and they understand that it would lead to blacklisting it which would halt a lot of operations in the country.
> It is absurd to expect anything less than blacklisting such a CA immediately.
Is it, though? Germany has a lot more economic leverage than Kazakhstan. Suppose they pass a law requiring any browser sold or otherwise offered on the German market to have the government certificate in the chain of trust... how many large companies would cave?
Well.
That is the reason for Certificate Pinning.
And these days there is no excuse to not enable it server-side.
Helped me detect some MITM-Interceptions.
Not that the content was malicious (OpenDNS just rerouted my requests to a "This site is blocked page", but the certificate was signed by Cisco, and thus valid. Certificate Pinning still picked it up. Little hint: It was an Archlinux-site.).
Here [1] it says that Chrome stopped supporting HTTP Public Key Pinning (HPKP) with Chrome 72. There are other debates on it. See the discussions for excuses.
FinFisher has "drive by infection" packages for sale called FinFly that require traffic injection, according to their brochure. How exactly those work today, i do not know. For example: until 2011 they used a bug in the self update code of iTunes. Having a network level man in the middle can benefit many complex exploit chains.
The "Trojan" is simply the rhetorical framework chosen by German authorities. Their initial successful push for computer surveillance was in the form of the "state trojan", a piece of malware proposed to be installed on the systems of suspected criminals. Successive pushes have aimed at expanding out from there, using the existing capabilities as justification.
For many things there isn't really need to get the payload. Get the IP addresses, DNS lookups and TLS SNI information and correlate to information gathered from elsewhere and you can derive a lot.
+1 for the optimism, but unfortunately even with those mitigations it is not enough. Using a VPN in combination with DoT/H is currently best practice I believe.
Looking at some of Citizen Lab’s excellent reporting on FinFisher shows that victims were redirected to regular unencrypted http downloads when the malware was installed.
One of the examples given was when a user tried to download Avast antivirus from a well-known software hosting site and the download was done over http.
There are several security sites that have downloadable packet captures of malware infections where you can see in Wireshark that redirects are commonly used.
Conceivably: If you have MITM and can inject... you'd next need web browser 0day exploit chain w/ sandbox escape and then a stealthy trojan to install. This would obviously be quite the capability and require a lot of maintenance to work cross-browser, cross-OS, and evade security products / built-in security features. It is definitely possible however.
The law only requires an ISP to redirect traffic to a target specified by the Verfassungschutz (Constitutional Protection Office) or BND (Federal Information Office), for the purposes of listening in or modifying traffic. It doesn't seem to require installing or providing TLS cracking.
I like how they are shamelessly trying to rebrand Jason Donenfeld's open source work in order to take the credit and the money for features with salesy names like "mobile IP" that were actually built inside WireGuard from day 1. In fact, I tried it a month ago and I had to uninstall it within the first 24 hours after I noticed the excessive logging eating my disk, the inexplicably high CPU usage, and low bandwidth compared to vanilla WireGuard, even pinging was failing randomly for some mysterious reason. WireGuard is a great piece of software, but Tailscale is a very bad, slow and buggy re-implementation of Zerotier over WireGuard.