Skip Navigation

loudwhisper

@ loudwhisper @infosec.pub

Posts

7
Comments

235
Joined

2 yr. ago

7mo ago

Deleted

Permanently Deleted
Jump
loudwhisper @infosec.pub 7mo ago
In that case, Pulumi permissions are too broad IMHO for what it has to do, an enterprise should adhere to least privilege. Likewise, as I wrote in another comment, the egress security groups are unclear to me (why any traffic at all is needed?) and the image consumed should be pinned to a digest. Or better yet, should be coming from a private enterprise registry, ideally with an attestation that can be verified at runtime.
I am not sure ECS Fargate makes sense vs an ec2 instance to run the workload. This setup alone will cost about $30/month assuming half a vCPU per replica with Fargate, plus about $12 for the memory (1GB/task). 2xt2.micro could be run for ~$20 without even considering reservation discounts etc. Obviously the gap will become even larger at scale, which I suppose might be very interesting for an enterprise.

7mo ago

Permanently Deleted

1

loudwhisper @infosec.pub 7mo ago

Plus, at this point why not using directly managed Nextcloud (or alternatives)... If anyway you use a managed storage, runtime and database, in a vendor lock...

7mo ago

Permanently Deleted

3

loudwhisper @infosec.pub 7mo ago

Oh yeah, I am aware. Mostly here I would question the idea to have multi-AZ redundancy and using a manage service for DB (which indeed is expensive). All of this when a 5$ VPS could host the same (maybe still using s3 for storage) and accept the few hours downtime in the rare event your VPS explodes and you need to restore it from a backup.

So from my PoV this is absolutely overkill but I concede that it depends a lot on the requirements. I can't ever imagine having requirements so tight that need such infra to run (in fact, I think not even most businesses have these requirements, I have written on the topic at https://loudwhisper.me/blog/hating-clouds/) for my personal stuff...

7mo ago

'This is child trafficking' — Russia launches 'catalog' of Ukrainian children for adoption, sorted by eye and hair color

4

loudwhisper @infosec.pub 7mo ago

There is no such thing as "neutral" in a war, but facts are facts, and lies are lies. If the position people take means people say lies, you disprove the lies.

From all this word-soup I see that you have effectively not a good example of false reporting from the Kyiv Independent, and you cast a wide net to the whole "western media".

What is an example of neutral media in your opinion that you consider factual and trustworthy?

7mo ago

Permanently Deleted

9

loudwhisper @infosec.pub 7mo ago

Everyone is free to pick their poison, but I have to ask...why? What is the target audience here? This is a massively overkill architecture IMHO. Not to talk about the fact you now need 3 managed services (fargate, s3 and aurora at least) for a single self hosted tool, and that is being generous (not counting cloudwatch, ALBs, etc.).

Why do you need security groups to allow egress anywhere (or, at all)?
I would pin the image to a digest, rather than using latest.
what is the average monthly cost for this infra for you?

7mo ago

'This is child trafficking' — Russia launches 'catalog' of Ukrainian children for adoption, sorted by eye and hair color

8

loudwhisper @infosec.pub 7mo ago

Did they report on those at all?

I searched their websites and I got 0 hits on the Ghost of Kyiv, and 1 hit on Snake Island (this).

7mo ago

European Commission has a "Wifi4EU" initative, provides 93k high-speed private access points across the EU, free of charge.

loudwhisper @infosec.pub 7mo ago

Someone runs MongoDB unauthenticated, bound on 0.0.0.0 with production data, on a computer without a VPN, and the problem is the WiFi?

Like I get what you are saying, but this sounds like saying that we should ban speedbumps because imagine there is a guy with a loaded gun pointed at a kid with no safe, finger on the trigger, and high on coke, if the car hits the speedbump the toddler is gone. Yeah, but I would hardly say the speedump is the issue.

7mo ago

European Commission has a "Wifi4EU" initative, provides 93k high-speed private access points across the EU, free of charge.

loudwhisper @infosec.pub 7mo ago

This is not really a common or easy attack, especially for any meaningful service (that is probably in preloaded HSTS lists).

It's not like this is the only shared network. In airports millions of people everyday connect to the same network.

7mo ago

European Commission has a "Wifi4EU" initative, provides 93k high-speed private access points across the EU, free of charge.

loudwhisper @infosec.pub 7mo ago

That tracking is done in a much more effective and capillary way by tracking cell towers. I think MAC tracking is a much better option, assuming there are enough of these APs to track.

7mo ago

Steam data reveals PC gamers shifting from Windows to Linux

loudwhisper @infosec.pub 7mo ago

Well, windows didn't allow me to do that, so I might have to do a manual process maybe.

Anyway, I am not interested in upgrading, I am just saying that I can't upgrade (click button, couple of steps), without buying a new copy. We can argue about the semantics of what "upgrading" means, but effectively there are going to be plenty of people in my situations, which is why I brought it up.

7mo ago

Steam data reveals PC gamers shifting from Windows to Linux

loudwhisper @infosec.pub 7mo ago

Well, you did call it a "failed experiment", that doesn't sound right when it is the most used OS on the planet, on supercomputers, on servers, on phones.

People answered with a broad response to a broad statement.

Anyway, if this rage is medically induced and this topic seems to trigger you, why not blocking it? I think you can see how you are not going to convince anybody that your experience 20-30 years ago with Linux is applicable today, especially when people with 0 tech skills manage to daily drive a Linux dietro or use it for gaming. So why doing this to yourself?

Researching IED, avoidance for "situations that upset you" seems to be one of the few recommended prevention mechanisms. You will get banned anyway eventually from the community, why not just blocking it in advance?

7mo ago

Steam data reveals PC gamers shifting from Windows to Linux

2

loudwhisper @infosec.pub 7mo ago

Not in all cases. My desktop PC came with windows professional (10), back in 2021. Upgrading to windows 11 is not included for free (not even to windows 11 "basic"), I need to pay a new license.

7mo ago

Permanently Deleted

loudwhisper @infosec.pub 7mo ago

Email is almost always zero-access encryption (like live chats), considering the % of proton users and the amount of emails between them (or the even smaller % of PGP users). Drive is e2ee like chat history. Basically I see email : chats = drive : history.

Anyway, I agree it could be done better, but I don't really see the big deal. Any user unable to understand this won't get the difference between zero-access and e2e.

7mo ago

Permanently Deleted

2

loudwhisper @infosec.pub 7mo ago

They compare it to proton mail and drive that are supposedly e2ee.

Only drive is. Email is not always e2ee, it uses zero-access encryption which I believe is the same exact mechanism used by this chatbot, so the comparison is quite fair tbh.

7mo ago

Permanently Deleted

1

loudwhisper @infosec.pub 7mo ago

How would you explain it in a way that is both nontechnical, accurate and differentiates yourself from all the other companies that are not doing something even remotely similar? I am asking genuinely because from the perspective of a user that decided to trust the company, zero-access is functionally much closer to e2ee than it is to "regular services", which is the alternative.

7mo ago

Permanently Deleted

loudwhisper @infosec.pub 7mo ago

Scribe can be local, if that's what you are referring to.

They also have a specific section on it at https://proton.me/support/proton-scribe-writing-assistant#local-or-server

Also emails for the most part are not e2ee, they can't be because the other party is not using encryption. They use "zero-access" which is different. It means proton gets the email in clear text, encrypts it with your public PGP key, deletes the original, and sends it to you.

See https://proton.me/support/proton-mail-encryption-explained

The email is encrypted in transit using TLS. It is then unencrypted and re-encrypted (by us) for storage on our servers using zero-access encryption. Once zero-access encryption has been applied, no-one except you can access emails stored on our servers (including us). It is not end-to-end encrypted, however, and might be accessible to the sender’s email service.

7mo ago

Permanently Deleted

loudwhisper @infosec.pub 7mo ago

Over the years I've heard many people claim that proton's servers being in Switzerland is more secure than other EU countries

Things change. They are doing it because Switzerland is proposing legislation that would definitely make that claim untrue. Europe is no paradise, especially certain countries, but it still makes sense.

From the lumo announcement:

Lumo represents one of many investments Proton will be making before the end of the decade to ensure that Europe stays strong, independent, and technologically sovereign. Because of legal uncertainty around Swiss government proposals(new window) to introduce mass surveillance — proposals that have been outlawed in the EU — Proton is moving most of its physical infrastructure out of Switzerland. Lumo will be the first product to move.

This shift represents an investment of over €100 million into the EU proper. While we do not give up the fight for privacy in Switzerland (and will continue to fight proposals that we believe will be extremely damaging to the Swiss economy), Proton is also embracing Europe and helping to develop a sovereign EuroStack(new window) for the future of our home continent. Lumo is European, and proudly so, and here to serve everybody who cares about privacy and security worldwide.

7mo ago

Permanently Deleted

3

loudwhisper @infosec.pub 7mo ago

They actually don't explain it in the article. The author doesn't seem to understand why there is a claim of e2e chat history, and zero-access for chats. The point of zero access is trust. You need to trust the provider to do it, because it's not cryptographically veritable. Upstream there is no encryption, and zero-access means providing the service (usually, unencrypted), then encrypting and discarding the plaintext.

Of course the model needs to have access to the context in plaintext, exactly like proton has access to emails sent to non-PGP addresses. What they can do is encrypt the chat histories, because these don't need active processing, and encrypt on the fly the communication between the model (which needs plaintext access) and the client. The same is what happens with scribe.

I personally can't stand LLMs, I am waiting eagerly for this bubble to collapse, but this article is essentially a nothing burger.

7mo ago

Finland's capital Helsinki goes a full year without a traffic death

loudwhisper @infosec.pub 7mo ago

Porsche is German I believe. Maserati is Italian.

Yeah indeed they are not comparable. I have a huge pickup truck in my building and is on another scale. The problem is also that it's a vicious circle, the more you see cars this big on the road, the more you don't want to be the only one with what looks like a go-kart in comparison.

7mo ago

Finland's capital Helsinki goes a full year without a traffic death

2

loudwhisper @infosec.pub 7mo ago

Sorry, but your spelling was too funny and I have to nitpick. Porsche and Maserati*

I said funny because you might want to look up what "porche" means in colloquial Italian.

Indeed these are generally super/sports car, and you see very few of them in Europe, except for exceptionally rich places. Even in Europe though you see many SUV in cities and I started seeing more and more huge tanks (like pickup-trucks), which I think are more common in US right now.