Darryl Nixon 

@[email protected]
143 Followers
114 Following
165 Posts

I'm a vulnerability researcher, a home chef, a Ph.D. candidate, and a dad. 

7-ish years in VR, firmware analysis, DFIR, development, hunt, mitigations, and various in betweens. Previous lives in firmware engineering, incident response, and healthcare IT.

I should blog. One day.

#vulnerabilityresearch #cybersecurity #infosec #vulnerabilities #dfir #hunt #cooking

Keyoxidehttps://keyoxide.org/fffffffff8587e3ac7f9da9ad7ebefccb80506e5
Darryl Nixon Aug 3, 2023

Let's see how this goes. In my ever-growing fear of getting locked out of my life from losing access to my Google and/or Apple accounts, I threw together a few things for self-hosting my own e-mail.

I purchased the lifetime 10GB storage, unlimited domains/emails deal from #MXRoute for $99. I installed getmail, dovecot-imapd, and dovecot-submissiond on my home server.

getmail uses POP-SSL to check for new e-mails every 5 minutes, retrieve them, and delete them from MXRoute's mailbox. I have a separate getmailrc file for each mailbox. These are transformed into Maildir structure/format in a ZFS pool. The 10GB storage in MXRoute is now just a receiving buffer and should be plenty in the case of local downtime.

Meanwhile, dovecot serves IMAP-SSL and SMTP-SSL using certificates generated by Caddy for my other services. The IMAP piece retrieves passwords by invoking pass, but submissiond (the SMTP-SSL relay submission server added to Dovecot in 2.3) seems not to have the same password_command functionality as Dovecot's other features (yet?), so that's unfortunately in permissed plaintext for a relay e-mail account only used for sending (no inbox).

Next step are a few management scripts as there's some duplication between configurations, but overall I'm happy with how quick it was to set up.

Show threadDarryl Nixon Jun 2, 2023

That said, I've heard #GPT4 flexes pretty hard on #GPT3, so I might subscribe to ChatGPT proper for a month to get my measly 25 messages per 3 hours.

I've heard #Bing uses GPT4 so folks are using that as a sort of bypass, but I imagine there's a tradeoff they're making in i/o privacy and retention guarantees. Any other recommendations?

Show threadDarryl Nixon Jun 2, 2023
I'm no JavaScript wizard, so #GPT3 has been great for authoring fairly advanced Frida hooks for mobile #reverseengineering. It also pretty quickly helped me throw together a simple man-in-the-middle injector with aiohttp and something related with #FastAPI.
Show threadDarryl Nixon Jun 2, 2023

I have a YakGPT instance exposed to some family that also use it, but I noticed that the #ChatGPT UI now has options that offer the same data retention/usage guarantees that the API did (no training on i/o, 30 day retention for AUP enforcement audit).

On my MBP, I picked up Machato to have something macOS-native running. It functions well but I'm getting some lag with many chats open and I don't necessarily love the UX.

GitHub - yakGPT/yakGPT: Locally running, hands-free ChatGPT UI

Locally running, hands-free ChatGPT UI. Contribute to yakGPT/yakGPT development by creating an account on GitHub.

GitHub
Darryl Nixon Jun 2, 2023
I used #OpenAI GPT-3.5 API throughout May for research assistance, coursework brainstorming, and random things that had come out (e.g., skeleton prompts for bedtime stories, discussing areas for buying a home). It only cost me $3.43. What does your use of #ChatGPT -likes look like?
Show threadDarryl Nixon Jan 26, 2023
@DarthSn3ak3rs If your optometrist is doing extraocular muscle testing today, maybe the post-it is just the start of your pentest?
Show threadDarryl Nixon Jan 25, 2023

@michaelabon I was using a local MITM proxy at the time on my host which sounds like it may be the most likely suspect. Though, I was passing thru HTTPS traffic that didn't match specific (non-1Password) domains.

Thanks, I'll toss them an e-mail anyway just in case.

Darryl Nixon Jan 24, 2023

I just received a 1Password popup in the macOS app that my secret key or password had recently changed and I'd need to re-enter my password. The secret key was autofilled correctly and, after restarting the app, my normal password still works.

I haven't changed either in years. Anyone else encounter this?

Show threadDarryl Nixon Jan 24, 2023
@0x00string All that to say, if OpenVPN is working great for you at its current speed, there's no real security-based reason to change.
Darryl Nixon Jan 24, 2023

@0x00string Tailscale is built on Wireguard so it should process traffic faster than OpenVPN. The inability to set Tailscale as "Always On" on iOS spoiled it for me, but you can do that with OpenVPN and the Wireguard app (and AFAIK you can't use the Wireguard app with a Tailscale deployment).

It'll definitely seem sketchy to have their software automatically generate, manage, and ship your keys. Effectively, it's Wireguard with a great user experience. They promise that private keys never leave devices and your e2e encrypted traffic never touches their servers.

You can read about its past CVEs. Despite their promises, I don't like the wording on the impact of CVE-2022-41924. I wonder what logs they ship that enables them to guarantee it was never seen in the wild.

WireGuard benchmark between two servers with 10 Gb ethernet

I just ran a benchmark on two of our servers with 10 Gb ethernet cards comparing an unencrypted link vs WireGuard vs OpenVPN using the config...

reddit