Borrowing IPv6 subnets to circumvent ISP silliness ⛓️‍πŸ’₯

It didn't have to be this way...

I recently revisited deploying IPv6 on my home network, having previously been frustrated by my ISP only giving me a single /64 prefix. That remains the case, but I was determined to find some creative ways of dealing with the situation. The solution turned out to involve an Amazon Web Services VPC and a pull-request to the OPNsense project.

[Read More]

Password managers are still a good thing. Here's why...

When the compromised service can offer faster fixes

Imagine, if you will, that dreaded day when you read in the news that the password manager you use has suffered a cyberattack and user data may have been obtained. Imagine feeling some sense of reassurance that the breach isn’t as bad as first thought, only to learn some time later that actually, it was worse than it was initially made out to be. Or, don’t imagine at all, because it happened. Is it game over for password managers? I sincerely hope not.

[Read More]

Nine things I hate about Multi-Factor Authentication

My love-hate relationship with 2FA/MFA

Multi-factor authentication (MFA) is a critical part of our defence of information systems, but it is far from perfect. I’ve made a list of list of things I dislike about it, not because I think that MFA needs to go away, but because if we can solve some of these gripes, MFA becomes even more powerful.

What is MFA?

When I talk about MFA, I mean the authentication methods that tend to be used in addition to your username/password. Your password is “something you know”, whereas your fingerprint is “something you have”, and a token generation (physical or app-based), is “something you have”. By combining these somethings, authentication is stronger, because the likelihood of an attacker being able to compromise two (or more) of these simultaneously, without being noticed, is much lower.

[Read More]

VPNs Considered Harmful

Confusion between anonymising and corporate VPNs is bad for cybersecurity

The Virtual Private Network, or VPN, has become a familiar term amongst Internet users in recent years. Yet, the secure tunnelling technology has been around much longer. So, why is it popular now, why should this be considered harmful, and what do we do about it?

Take the global Google Trends for the terms VPN, SSL and TLS, pictured below. Comparatively few people seem to care about SSL and TLS, but VPN sees growing interest, with repeated spikes. But what does this mean for VPN?

[Read More]