bestov.io

a tech bläg

A security post-mortem & the (shamefully) flimsy security of Meta, Inc.

Andrea has a small content creation business. They’re what the youngsters call an influencer, and as such, among their equity, they possess very valuable social accounts with a valuable follower count. A few days ago, one of those accounts was hacked, using a classic vector: a stolen password, either leaked or phished, combined with 2FA phishing. This article is a post-mortem (and in a way a post-vitae), showing what we did to recover access to the account, and to secure it...

Don't try to outsmart the universe

Today I migrated an IPsec (with IKEv1) site-to-site setup from a pfSense machine to a Debian machine. Since the pfSense machine was still the Internet gateway for the network, IKE and ESP packets still had to go through it. Now, I recalled something about firewalls not playing too nice with IPsec, so I researched a bit, and I concluded I needed some very specific SNAT rules. (I also realized that IPsec was not really meant for what we’re using it for, but over the course of many years enough functionality was kludged together RFCs were written to make it work and industry has adopted it quite widely...