- Welcome to my site
Securing Your Domain with CAA Records: Prevent Unauthorized Certificate Issuance
You may have seen a recent post by WatchTowr titled We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI. The TLDR is that WatchTowr Labs discovered a major vulnerability in the .MOBI TLD by purchasing an expired WHOIS server domain for $20, allowing them to control WHOIS queries. They found that many systems, including Certificate Authorities (CAs) responsible for issuing TLS/SSL certificates, were querying this outdated WHOIS server, which enabled WatchTowr to spoof domain ownership information, namely emails....
Building a Private Cloud: A DevOps Approach
For the past year I have been involved in running a private cloud for Hack@UCF a student-run cybersecurity club at The Unversity of Central Florida. All members are given access to this cloud as a place to experiment and learn without the fear of massive cloud bills. We also use the cloud to host our very own defensive cybersecurity competition Horse Plinko. This began is spring 2019 when the Lockheed Martin Cyber Innovation Lab was opened....
New Class Of Vulnerabilities Discovered (April Fools)
priority_high April Fools! This blog post is a joke and does not represent real research. We hope you enjoyed it! In collaboration with the NIST, CISA and The University of South Florida I am pleased to announce research regarding a new class of vulnerability called Remote Bankruptcy Exploits (RBE). Overview The RBE vulnerability class represents a significant shift in the landscape of cybersecurity threats. Unlike traditional exploits that focus on data theft or system compromise, RBE attacks target the financial stability of startups and small businesses by exploiting the very infrastructure designed to scale their operations....
The Horse Plinko Incident (2023)
Hey everyone, I can’t help but dive into this blog post without first tipping my virtual hat to the brilliant minds behind the scenes. To the organizers of the recent HPCC1 competition, you’ve orchestrated something truly epic. Your dedication, creativity, and the sheer complexity of the challenges pushed us to the limits of our knowledge and skills. And for that, I am genuinely thankful. Competing in the Horse Plink Cyber Challenge 1 (henceforth know as HPCC1) was not just a battle of wits and technical prowess; it was an adventure....
Project Quay Setup
With docker deleting open source organizations it might be time to selfhost your own container registry. Project Quay is the open source version of Redhat Quay, the container registry that powers quay.io. It can be configured as a pull through cache (useful for saving bandwidth). Not a lot of great guides exist for how to setup quay using docker-compose so here it is. --- services: quay: image: quay.io/projectquay/quay:3.8.4 # One-time command for running Quay in configurator mode....
Selfhosting v3
Here are my goals for my selfhosting setup v3. All containers updated with gitops All containers scanned for cves All apps that support use federated auth (ouath openidc ldap etc.) All containers that don’t receive frequent updates are built locally instead Container engine runs without root (maybe a v4) All databases dumped before backup Backups Local backups for devices Logging containers logs Alerting Here is the basic plan of how to achieve this Gitea for git server Rennovatebot for updates Quay for image registry Woodpecker for ci Clair for scanning Traefik for reverse proxy Tailscale for networking Tailscale funnels for public access Podman for rootless Keycloak for auth Overall I hope this setup will decrease the amount of ongoing maintenance, alert me to problems before they break stuff, and make sure my apps are up to date....
Overview of Minecraft Server Hosting Technologies
This is a brief overview of diffrent minecraft servers. This is a great guide to picking the best one for your circumstances.