Spent some time looking for ideas on how to do a security training (compliance requirement) that didn’t suck. Cribbing from some reddit posts, I think I’m going to give everyone a notecard with something like “Is Bob Bobson a client here”, have them pair up, and do a little phone conversation roleplay where one person is a visher trying to trick the other into revealing the piece of information, while the other person gets practice saying “No.” Seemed like a good way to let the staff dip a toe into thinking like an attacker.

Been diving into the Tor Browser codebase recently and as a consequence now lifting over a few goodies in the privacy and security departments from there to Konform Browser

This week I gave up on trying to convince the teamlead an oauth access token lifetime of 5 years is too much. Yes, an access token, not an API key. There’s no revocation mechanism either.

At home I fixed RBAC for traefic, after wading through config and in the end basically just flipping switches until it worked. It does work now though so admin apps are inaccessible to family accounts. Still somewhat open for suggestions as I’m not 100% convinced by traefic yet.

If I told you it wouldnt be secure.

I’m in the process of hardening caddy. It’s a work in progress, as I’m new to caddy. I always used Nginx. But I decided to give caddy a try as I saw it recommended a LOT.

*: in my homelab.

Overthrowing a small 3rd world country for kicks