JohnsNotHere

@[email protected]
861 Followers
117 Following
2.1K Posts

Infosec practitioner, Founder of EliteSec (https://elitesec.io), podcaster, father, and knowledge junkie. Defender of the Oxford comma, and lover of good BBQ. Posts are my own, but YMMV.

I toot about #cybersecurity topics and #entrepreneurship, plus random thoughts in between.

EliteSec Consultinghttps://elitesec.io
JohnsNotHere3h ago
Never doubt your worth, and don't let anyone else dictate what it is or diminish your value in yourself. Find allies to validate your thoughts, but first and foremost stay true to yourself.
JohnsNotHere3d ago
Waiting is the hardest part.
JohnsNotHere3d ago

One of the hardest biases to overcome is that of being a one-person operation. I get it, the website is professionally done, I definitely use language to make EliteSec feel larger than it is, the company is ISO27001 certified and CREST accredited, but in the end it is one man doing all the work. Is that bad? For some people apparently it is.

I get it - I do a lot. But I also pace myself and try to only take one client at a time. I sometimes have overlaps, but those are controlled and limited to certain circumstances. I've turned people away because I simply can't guarantee the timing and quality I strive for.

My usual retort when people bring up concerns is that they get to speak to the person doing the testing, not a salesperson who doesn't understand the process or what they are looking for. In the end, chances are you only have one person doing all the testing anyways, so why not speak with them directly? This works most of the time, but there are times when a prospect will just make up their mind and be done with it. I've been doing this for 6.5 years, longer than most "fly-by-night" groups that charge a fraction of what I do, but have questionable quality.

I have a prospect I'm deciding to follow up with that seems to fit this pessimistic view and I haven't' yet decided if it's worth chasing them. All I need is a quick update on one part of their scope, but I suspect they'll never give that to me. I get it, larger feels better, but honestly I have enough history to prove that the risk with myself is low. Sad to believe that hiring 1 or 2 more folks would likely make this disappear, but I don't have enough volume of work to justify that right now.

Ah, the life of a #solopreneur...

JohnsNotHere4d ago

Logitech has failed me. My mouse has developed this weird problem where the left button just stops working properly. Seems to release randomly when trying to click-and-hold. Based on my searches, it seems to be some type of static charge that builds up and messes with the switch, but it keeps happening.

I've decided to try a vertical mouse, but after nearly 2 weeks I'm switching to another wireless mouse that'a a clone of a Logitech mouse. I'll see if that works out better. The vertical mouse was fine, I just can't get used to the hand position. Hopefully this new one will finally meet my needs. If it wasn't for the need to take screenshots (mapping out areas to capture), I'd be find with keyboard shortcuts for everything.

JohnsNotHereJun 12

#wifihaacking

I've been playing around iwth BrosTrend devices for wifi testing, and it's quite good. I still love Alfa and will use them for serious engagements, but BrosTrend is cost effective and totally capable. I've tested them with Raspberry Pi devices and local VMs on Windows. I did have to instal the drivers, but thankfully that's painless and a simple script you can get from their support site. For those looking for a cost-effective solution, it's a solid brand worth conisdering.

I've personally used their AC650 and AXE5400 adapters successfully with a WPA2 environment. I hope this helps someone wanted to try this type of hacking out without breaking the bank.

JohnsNotHereJun 11
Change is the only constant we have in our lives. Embrace it, lest it tear you apart.
JohnsNotHereJun 8

An honsest question to the #pentester crowd out there. When you write up a report, do you include everything you tried, or only the findings you came across and verified. I had a discussion today with someone new who nearly had me fire them as a client, and now I'm curious. We resolved our differences, but his initial reaction pissed me off and now I'm curious how others handle things.

One tidbit - there was no mention of chained vulnerabilities in the report. The reason? There were no exploitable vulnerabilities that we could chain off of! There's a lot more, but that was a taste of how it started.

JohnsNotHereJun 4
CertKitJun 4

Let's Encrypt drops cert lifetimes to 45 days by Feb 2028, a year early.

CertKit now supports their TLS Server profile, so you can issue 45-day certs today and test your automation before the deadline.

https://www.certkit.io/blog/managed-accounts-for-msps

#LetsEncrypt #SSL

Managed accounts for MSPs, plus 45-day certificates you can use today

MSPs can now stand up fully-managed CertKit accounts for their clients, deploy certificates and agents, then hand over the keys. We also added support for Let's Encrypt's TLS Server profile, so you can issue 45-day certificates right now.

CertKit SSL Certificate Management
JohnsNotHereJun 4
WTF happened to Raspberry Pi pricing?! I'm looking at a Pi 5 kit with 8GB of ram selling for over $300 CAD! I can get a 16GB Ryzen 5 mini PC from GMK for roughly $100 more, and it even comes with a 512GB SSD. I'll be damned if it isn't time to upgrade the old stock of dropboxes to something more powerful...
JohnsNotHereJun 3

Question for those of you running local VMs. Are you using VMWare (Boradcom) still, or are you moving to Virtualbox for your local VMs, specifically Kali? I host everything in a Proxmox server, but I have a need to run locally again and I'm curious which is more stable. I've had weird issues in the past with both VMWare and Virtualbox, so I'm curious if stability has improved for both.

To be honest, I hate Broadcom, but free is free. TIA.