Add1son's Blog

A place for pondering, planning and projects

2018

Today is the first of the year and 2018 is the first year that has started with genuine excitement for me. 2017 was a great year full of professional and personal development and I look forward to achieving everything that I set out to for 2018. When the previous year began I was thinking about goals that I would like to achieve and for the most part I was able to do them as documented on this blog of mine. The CSA+ I was able to get and I have been able to continue to increase my skills with a lab environment that will be replicated in my home office in the coming weeks.

2018 brings the following goals (tentative):

  • Continue to develop and read into philosophy as well as increase physical fitness
  • Refinance my home in an attempt to reduce overhead and free up money to go into solar power
  • Focus on making time for the things that matter
  • Continue to develop self hosted data analysis
  • Pursue an additional certificate or two perhaps dealing in virtualization, Windows Server and/or Linux

Instagram 2 Factor Authentication is Broken

Reviewing some security settings on everyone’s favorite photo sharing app revealed to me some inadequacies in the security policy and implementation of Instagram.

Realizing that the setting lay dormant in my account information I decided to go ahead and implement what Instagram calls 2 factor authentication. Doing so didn’t prompt me to scan a QR code or choose an authentication app standard to TOTP (Time Based On Time Password), instead I was told that a phone number was required. I confirmed my phone number and received a text message. To make sure that no other setting was present I went back through the menu and realized this was the only option and had the code re-sent. When the code was sent back to my phone via SMS it was the same code despite a ~2 minute window passing by which indicates to me that this password may or may not be set to roll at a set interval. After this a standard screen was presented with backup codes so that if I were to no longer have access to the phone number in question I could still login to my account. This completed the setup of “2 factor authentication” within the Instagram application.

The problem with this being, NIST (National Institute of Standards and Technology) has ruled that 2 factor authentication is not to be done over a SMS message (TechCrunch Story NIST Digital Identity Guidelines). Accounts continue to get compromised via stolen / social engineered fraudulently issued SIM cards and this poor implementation just proves to be a security weak point in one of the most used applications on modern smartphones today. This reaches an interesting point of contention that is, how do you get companies to care about your security and the security of your data? Instagram provides a page with “security tips” including enabling 2 factor authentication but doesn’t seem to have an address to contact with these security concerns. All in all “The Register” provides a great article about this titled “Standards body warned SMS 2FA is insecure and nobody listened” published late 2016. Industry will continue moving forward with implementing 2 factor authentication for end users but hopefully in the future the options for authentication are more abundant than just a SMS code.

More information on sites that support 2FA @ https://twofactorauth.org/

Distributed social networking using old protocols

We live in a very interesting time, a time in which we have access to more information than ever and the ability to broadcast a message or information to more people than ever. This comes with a laundry list of pros but something that has always been confusing to me has been that the web is designed to be decentralized and fault tolerant but even by this design people flock to the same platforms in order to broadcast a message or information.

Websites like Twitter, Youtube and Facebook are now constantly being criticized by more and more people as being “full of censorship” and “injustice”. Whether or not these claims hold any merit isn’t really what I spend time thinking about but instead why don’t these people migrate platforms or create their own platform? For $5 you can have a VPS instance up and running with free software (free as in speech and free as in beer) within 10-15 minutes. Using RSS with this a person could setup a “feed” of sorts a lot like Twitter or Facebook but instead of having to worry about algorithms modifying what you are looking at as well as being experimented on in secret. A plain feed would come out of this that could be chronological in nature or otherwise as denoted by the user. The power in this case is given back to the people who run their own content producing websites that they can advertise directly to potential advertisers or accept donations on with something decentralized like Bitcoin and BOOM you are off to the races.

One could ponder something here like technical literacy making this a high barrier to entry but I remain optimistic that once people are tired of getting their rights stepped on by private companies, they will have no other choice. I remain optimistic in hopes that this decentralized communication model is utilized and taken in stride by the masses, until then I am stuck utilizing multiple platforms for multiple types of communication instead of just using my web server for everything. On the off chance that isn’t the most “first world problem”, I don’t know what is.

Lab Architecture — Change of Plans

Last time on fun lab environment

The problem I am having is that the management group isn’t able to exit the hypervisor and I am not sure if the configuration error is in the pfsense or layer 3 side vs the virtual switch or layer 2 side.

So this turned out to be on the pfsense side. I was able to get these interfaces to work with one another but unfortunately I am not able to spam 172.16.x.x with DHCP requests due to some issues with other equipment. I have 2 options at this point in time and those would be to scrap the 172.16.1.x and 172.16.2.x networks that I have running and move them over to perhaps a 10.0.0.0 network or I can insulate them with firewall rules. I have yet to choose exactly what I am going to do with this problem at hand but I am going to look to see if any documentation exists on this topic for pfsense DHCP scope. Alternatively I can just toss out DHCP completely and do everything through static networking which would be pretty easy but just a little bit of initial configuration.

Other than that I have added another ship to the yard in the form of the proxmox box that is running on Debian. I look forward to playing around a little bit in a linux based hypervisor to see if I can’t get some experience with it. I am going to try and devote more time into working in the lab at work and from home. Since I am writing it here I have to do it, right?

 

Hello World,

After fiddling around with a bunch of other platforms. I decided that 1/4 of the internet couldn’t be wrong with choosing wordpress (yes they could be). This is the platform I will be using for now. We will see how well it works for the time being.