How do you sell what you did as “it just worked”? Rightaway? You lied to them. You have your coworkers on an unmanaged machine with a foreign OS on the guest WiFi with custom networking. Don’t oversell a workaround as a solution.

Simplifying the problem to “Windows” seems unfair, given how many problems you found. All of them still require a long-term solution for regular operation.

In short, untreated mental illness

Right. And then they locate it and search the rooms nearby. Exactly what their disclaimer is about

Just FYI, you need very little skill to clone the WiFi access gateway of a hotel WiFi, and then blast their SSID from your router, to lure close guests into your honeypot. Once people are on your malicious gateway, the fun starts.

In a hotel with hundreds of hackers on alcohol, it’s not unlikely for people to fuck around.

There is also no requirement to be a “good guy” to attend the conference.

Telegram is not just IM. Open the search and search for channels. Get creative, they have keyword filters. City name is always a good start. Check the channels with ❄️ and 🍄 emojis. This is where people are scammed for drugs. Maybe sometimes not scams.

A lot happens on Telegram, and it’s right behind that little search icon.

Reddit is free. Other people paying for your free service is a very weak argument to bring up. If Lemmy dies today, nobody but hobbyists and amateurs will care. Just like with LE.

I’ve been there. Not every CA is equal. Those kind of CAs were shit. LE is convenient. There are more options though.

I actually agree. For the majority of sites and/or use cases, it probably is sufficient.

Explaining properly why LE is generally problematic, takes considerable depth of information, that I’m just not able to relay easily right now. But consider this:

LE is mostly a convenience. They save an operator $1 per month per certificate. For everyone with hosting costs beyond $1000, this is laughable savings. People who take TLS seriously often have more demands than “padlock in the browser UI”. If a free service decides they no longer want to use OCSP, that’s an annoying disruption that was entirely not worth the $1 https://www.abetterinternet.org/post/replacing-ocsp-with-crls/

LE has no SLA. You have no guarantee to be able to ever renew your certificate again. A risk not anyone should take.

Who is paying for LE? If you’re not paying, how can you rely on the service to exist tomorrow?

It’s not too long ago that people said “only some sites need HTTPS, HTTP is fine for most”. It never was, and people should not build anything relevant on “free” security today either.

People who have actually relevant use cases with the need for a reliable partner would never use LE. It’s a gimmick for hobbyists and people who suck at their job.

If you have never revoked a certificate, you don’t really know what you’re doing. If you have never run into rate-limiting issues with LE that block a rollout, you don’t know what you’re doing.

LE works until it doesn’t, and then it’s like every other free service on the internet: no guarantees If your setup relies on the goodwill of a single entity handing out shit for free, it’s not a robust setup. If you rely on that entity to keep an OCSP responder alive for free so all your consumers can verify the validity of your certificate, that’s not great. And people do this to save their company $1 a month for the real thing? Even running the shitty certbot in compute has a larger cost. People are so blindly in love with this “free” garbage. The fanboys will never die off

"JD Vance is what would happen if Boss Baby grew a beard,” quipped one person in 2021.

“Just shave JD Vance’s beard and he’ll lose all support,” commented a self-described center-right Republican account in April. “He literally looks like a reddit user.”

https://www.dailydot.com/debug/jd-vance-beard-vice-president-donald-trump/?amp

Didn’t even know this was an actual hot topic…

I can relate. Being 13 would pair really bad with my drunk driving

I have heard of studies 🤔

Easy. Come up with some insane pet feeding scenario, and then assume you saw someone on YouTube vouch for it. Enter discourse. Ensure to present your theory by first saying “I don’t know what a cat actually is, but…”. Then slowly slide your audience into your scenario about how people in Florida have kept alligators alive by feeding them rotten boat parts with just the right algae and moss on it.

Saw this picture. Instant reaction: Ah, that’s why he has the beard. Also explains why his beard looks like a transplant

I wasn’t actively aware of this for most of my life until I recently visited a clients office. Buying someone a cup of coffee is an entire thing. There’s no free coffee. You have to purchase every single cup. And you first have to walk several minutes to the place where they sell the coffee. It blew my mind. I’m used to drinking one cup after the other without even giving it any thought. Coffee machine right next to me or around the corner. There, coffee incurs friction and cost.

So when you invite someone for a cup of free coffee, this can open doors for you. I’m not kidding. People get all excited when you offer them a coffee break on your dime. And there’s levels to it too. There’s the regular coffee, and there’s the premium one. For the premium you have to walk longer and wait in line until the barista serves you.

It’s a key component in office politics when coffee access is regulated.

Why anyone would restrict access to legal stimulants in the office is unclear to me though. Put espresso machines on every desk!

I can’t answer this with confidence, but I was thinking the link in the email opened in the default browser, which wasn’t Tor in their case. Or something in the email client perhaps. Ultimately, I have no idea what happened and I was just speculating

Agreed. There are countermeasures to take against everything I mentioned. You just have to be aware and ideally not be a criminal in the first place.

So you fucked everyone because of a beef you had with AWS. Go fuck yourselves. Moving people off Elastic products is the right move either way. Don’t look back.

There are many ways your real IP can leak, even if you are currently using Tor somehow. If I control the DNS infrastructure of a domain, I can create an arbitrary name in that domain. Like artemis.phishinsite.org, nobody in the world will know that this name exists, the DNS service has never seen a query asking for the IP of that name. Now I send you any link including that domain. You click the link and your OS will query that name through it’s network stack. If your network stack is not configured to handle DNS anonymously, this query will leak your real IP, or that of your DNS resolver, which might be your ISP.

Going further, don’t deliver an A record on that name. Only deliver a AAAA to force the client down an IPv6 path, revealing a potentially local address.

Just some thoughts. Not sure any of this was applicable to the case.

There are many ways to set up something that could lead to information leakage and people are rarely prepared for it.

I feel like the time to hide information behind YouTube links is over. Feels like a link to a paywall article at this point.