Sep 21, 2020

EKSA E1000 Gaming Headset Review

What's up folks!? I know I haven't written too much lately. I've been swamped with work and my other big project which is my Come On Man - How To Be A 3% Man podcast

One of the things I've done for that project is purchase a new headset with microphone for better audio recording on my Windows 10 laptop. I decided to go with a red EKSA E1000 USB gaming headset and it works pretty damned good!

Here I am rocking out with it. I have to say that it is super comfortable, and I really dig the rope cabling! One thing too is that it doesn't pick up the sound of the cable rubbing on my shirt if I turn my head which is a problem my old headset with a microphone would do and you could hear that in the podcast.

The noise cancelation seems to be working very well too, which is a huge plus when making podcasts. You really want to block out those white noise background sounds, and with this headset you can do it without having to spend money on sound proofing your recording space!

I went ahead and made a quick audio test below that you can check out to hear how these sound in case you are thinking of getting a pair of these for podcasting as well.



So what do you think? Not bad right? Especially not bad when they cost less than $40!

Anyway, all in all not bad! I highly recommend these if you are a hobby podcaster like me!

Sep 12, 2020

I Appeared On The Uncle Mike Podcast

 I posted a few weeks ago about how I started a new dating and success podcast called "Come On Man - A 3% Man Podcast." If you go back and read that article, I talk about my journey to not just be a better selector of women in my life, but also a better man in general. A part of that is being a part of a very exclusive Facebook men's group called 3% Man.

One of my fellow 3% brothers in that group also has his own podcast called "My Podcast Journey & Random Life Lessons" by Uncle Mike, aka Kwok Chan. Well, he invited me on his show to ask me about my 3% journey and I wanted to share it with you here. You can play it below:


Shortly after recording that episode with Kwok, he stuck around and we recorded an episode of "Come On Man" where we discussed all sorts of things from his 3% journey to football and how his parents immigrated from Communist China. That episode will drop on 11/2!



Aug 19, 2020

A New Project I've Started - A Dating and Success Podcast

 A couple of months ago I wrote an article about my quest to be a better man. In that post I wrote out my top ten life changing books. My list of books has increased since then, and I've been busy devouring them, as well as listening to others multiple times to really internalize the information.

One of those books is How To Be a 3% Man by Corey Wayne. That book, along with Dating Essentials For Men and Atomic Attraction have inspired me to start a new podcast for other men who are on what I call the 3% Path! That path is not just being better with women, but also learning to be better in life!

Introducing Come On Man - A 3% Man Podcast!

You can listen to my first episode here:



Here is the description of the podcast:
A podcast for fellow students of Corey Wayne's book, "How To Be a 3% Man" and for men who just want to be better in general. We take teachings not just from Coach Wayne, but from great teachers like Dr. Robert Glover, Chris Canwell, Napoleon Hill, Bob Proctor, Dave Ramsey and many others who have not only mastered relationships or gaining wealth, but who have harnessed the law of attraction to get everything they want out of life!
The back story to all of this is that after breaking up with a long-term girlfriend last year I had been on the dating circuit for a while, but it clicked with me that what I was doing wasn't working. It also dawned on me that I needed to figure out why my past relationships didn't work out and all of that self reflection brought me to Corey Wayne's YouTube channel and subsequently his book!

Corey Wayne suggests reading his book, or listening to it on audio at least 10-15 times. Well, I've listened to it six times so far, and have read the paperback once. I've also listened to and read Dating Essentials For Men and Atomic Attraction about 6 times as well. I plan to listen to all three of these books well over the 15 time mark, because I get something new out of all three every time I listen or read them!

I also plan to listen to a few other really great books over and over again because as Corey says, repetition is the mother of skill!

Am I a dating expert now? Nope! Am I a dating coach now like Corey? Nope! If you want a dating coach, I suggest going to the man himself on his website understandingrelationships.com and hire him!

I'm no expert, however I have learned quite a bit from these books and having put their knowledge to practice! I am finally starting to see lots of success not just in my dating life, but in my professional life as well! I feel so good about all of it, that I decided to share it with the world!

So, if you are a guy who is struggling with women and relationships, I highly recommend grabbing a copy of Corey Wayne's book then tune into my new podcast every Monday and study along with me!

Jul 20, 2020

Wait... Is Microsoft Azure Using VMWare?

My company made the move to Microsoft Azure a couple of years ago. For the most part, we really like it. We've had the occasional hiccup, and their support is trash, but at least their platform is easy to learn and is relatively stable.

Well, an interesting thing happened today. I was in the process of upgrading some Ubuntu servers to 18.04, and during the upgrade process I noticed this:


It appears that their Linux VMs have VMWare Tools installed. Which begs the question, is Azure using VMWare on the back end? One would think they were using Hyper-V.

Anyway, I thought that was interesting and should share it with you guys. If you know more about it, let me know in the comments!

Jun 30, 2020

Get Ready For An Epic SSL Certificate Maintenance Shitstorm


According to ZDNet, Apple made the executive decision back in February of this year to limit the default lifespan of SSL/TLS certificates to 398 days.
A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates.
Google has opted in to join Apple as well according to The SSL Store:
It’s no secret, Google has been championing shorter certificate validity within the CA/Browser Forum (CA/B Forum) for years. At the end of last week, a well-known voice within the forum posted on Twitter that the tech giant will be making the switch to a one year validity period of 398 days for SSL/TLS certificates starting Sept. 1. This might sound like a big move, but it doesn’t actually change anything because it was already happening.
Mozilla will be jumping on the bandwagon on August 31st according to a Git Hub post.

What will this mean? Well, for one, if you host a website that has a two year SSL certificate, all major browser are going to start displaying an error warning users that your certificate is valid for too long.

I actually agree, this will probably make things more secure. The more frequently you swap your encryption keys, the better the security. I'm already doing it with LetsEncrypt on my personal email server because LetsEncrypt makes you renew every 3 months! LetsEncrypt makes renewal easy at least with the help of automation scripts.

Swapping out certificates every year in other places can be a pain if you are using other 3rd party CA's, and manually renew your certificates. It's even more of a pain when you have clients that use Java applications and manually trust their 3rd party keys for additional stringent security. That means we have to swap our keys out probably every 200 days now at my day job so we can send the keys to clients ahead of time for testing and validation...

Basically an SSL Certificate Maintenance Shitstorm!

Do you manage SSL certificates in your environment? How are you handling it? Let us know in the comments!

Jun 12, 2020

An SSL Certificate is An SSL Certificate is An SSL Certificate

You are probably looking at the title of this post and scratching your head right about now. Allow me to try to explain my thought process here. Many moons ago I worked as a Systems Engineer for a SharePoint consulting company. It was the first place I started messing with SSL certificates for encryption. Granted, I didn't know as much about them as I do now, but I had the basics down.

One thing we did there was purchase GoDaddy SSL certificates because at the time, they were probably the cheapest 3rd party certificates out there. Shortly after I started buying them, I found the now defunct StartSSL which issued free 3rd party SSL certificates that were trusted by browsers.

It was around this time I realized that as long as a browser trusted a certificate, it really didn't matter which 3rd party certificate company you went with. I mean, the technology is the same. A certificate really is just a text file with random characters in it that is matched by another key file that is also just a text file with random characters in it. There is really nothing inherently special about a Verisign certificate vs a DigiCert certificate vs a Sectigo certificate... Basically an SSL certificate is an SSL certificate is an SSL certificate. Do you follow me?

One might have argued back then that an EV, or Extended Validation certificate is a little more special, but even then all certificate authorities offer those. Some cheaper than others, and again my point is proven.

Well I just stumbled on an article that backs my original thought on this, and goes a little bit further by arguing that even EV certificates are kind of unnecessary now, and you might as well just go with a free 3rd party certificate authority like Lets Encrypt!


...as of Autumn 2018 browsers are increasingly hiding the only information that distinguishes between these two types of certificates. It is fully possible some users will never know a site has an EV certificate in use. Google and Apple have already shown that they can and will stop showing the added benefits of higher cost security certificates, and most others will surely follow. Moreover, most users do not care or know the difference between a DV or EV certificate. To most people a site either has the padlock, or it does not, and if an EV certificate is visible, they often find the additional information confusing.

So then, why pay for these fancy certificates? Some certificate providers will offer a “warranty” on a certificate purchase. Cutting to the chase, it is not clear what value these warranties provide. There is no record of anyone using a certificate warranty, and there may not ever be. As the benefits of the higher end certificates continue to dwindle into irrelevance, all that remains is the normal, trusted, DV certificates that throw up the padlock and say it has a secure connection. This lock could be green, or grey, or whatever color the browser chooses to display. The fact of the matter is that the browser controls how the certificate displays to the user, not the certificate.

What do you think about this? Do you agree with Paradox Labs? Let us know what you think in the comments!


Jun 11, 2020

SSL Grades For The Top 6 Social Media Sites

I've been keenly aware of SSL/TLS settings on web servers for the past 9 years. Mainly because securing websites has been a big part of my job, and part of that is keeping up to date with the latest threats to SSL/TLS encryption in websites. Periodically PCI/DSS standards change which means I have to scramble to implement improved SSL/TLS standards for the websites owned by the company I work for. One of the tools I use to test my own servers is SSL Labs by Qualsys

Those of you that have been following my blog for years know about it since I write about it periodically.

Well, one of the things I like to do is check other websites and see how their SSL/TLS stands up. Are they secure enough? Should I trust them? You get the picture.

I decided to test 6 of the top social media sites out there to see if they cut the mustard! Here they are:

Twitter

Coming in at the best secured social media site with a beautiful A+ rating is Twitter! I can't complain about that at all. Well done!




LinkedIn

The social media site for professionals did fairly well with an A rating. They got dinged a little for not having DNS CAA settings which in short tells browsers which SSL certificates are authorized for use by that particular domain. It is a really easy to setup, so there isn't a good reason not to have that done. They also got dinged for weak ciphers. Still though, not a bad rating.




Facebook

Probably the king of social media, and often slammed for their draconian censorship is Facebook with a trash rating of B! They were capped at a B because they still support TLS 1.0 and 1.1 which was depreciated by PCI/DSS a couple of years ago. They also accept the RC4 cipher which is garbage. More on that after the rest of the ratings.



Snapchat

The app used by teenage girls and basic bitches on Tinder! I've said it before, your animal Snapchat dating profile picture isn't cute! Knock that shit off! Anyway, they were capped at a B rating too! At least they turned off RC4...




Instagram

Instagram is a favorite of mine. I like what their filters can do for some of the pictures I take while out hiking, or spending time with friends and family. Still though, their encryption is't great since they were capped at a B as well. That isn't very surprising since they were bought out by Facebook.




TikTok

Finally we have TikTok. My daughter has me addicted to this silly video social media app! I wasn't going to use it but she kept texting me various videos and I was tired of opening up the links in my phone's browser. Now I love it! Still though, their security sucks as bad as Facebook with a B rating. At least they don't support RC4!






Why SSL Labs hates TLS 1.0 and TLS 1.1

Per Qualsys:

Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. PCI-DSS recommends users to switch from protocol TLS 1.0 and adopt protocol TLS 1.2+.

Why RC4 Sucks

Again, from Qualsys:

RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses. After the BEAST attack was disclosed in 2011, we—grudgingly—started using RC4 in order to avoid the vulnerable CBC suites in TLS 1.0 and earlier. This caused the usage of RC4 to increase, and some say that it now accounts for about 50% of all TLS traffic.

Last week, a group of researchers (Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt) announced significant advancements in the attacks against RC4, unveiling new weaknesses as well as new methods to exploit them. Matthew Green has a great overview on his blog, and here are the slides from the talk where the new issues were announced.
The funniest part about some of these sites still supporting RC4 is that the above blog quote from Qualsys was written in 2013! There is no good reason for anyone to still be using it at this point!

Conclusion

So should you stop enjoying these social media sites because the ratings aren't all A+? Not really. Most of these servers support strong ciphers in preferred order. That means as long as you are using updated applications and modern browsers, you are most likely connecting using the strongest ciphers and TLS versions offered by the servers. You will be fine. On top of that, most of the info you put out on social media isn't that secure anyway.

This is more of an indictment of their security and systems engineers, and I'm calling them out to do better and try harder. It's not that difficult to get at least an A rating! It also pushes your customers to improve their security as well by not allowing them to keep using legacy systems! If they want to connect to your service, they need to use modern browsers!

Your thoughts?

What do you think about this? Let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam