By David North
On April 25, 2024, Bogdan Syrotiuk, the 25-year-old leader of the Young Guard of Bolshevik-Leninists (the YGBL), a socialist-Trotskyist organization active in Ukraine, Russia and throughout the former USSR, was arrested by the notorious state security service of the fascistic Zelensky regime, the SBU. Bogdan is being held in atrocious conditions in a high security prison in the city of Nikolaev (Mykolaiv), which is located in southern Ukraine.
The International Committee of the Fourth International (ICFI), the world Trotskyist movement with which the YGBL is politically affiliated, has finally obtained the actual documents in which the SBU presents its charges against Bogdan Syrotiuk. These documents, which form the basis of his detention, make absolutely clear that Bogdan is the victim of a monstrous state frame-up. The allegations concocted by the SBU are a crude combination of lies, obvious fabrications, and political absurdities.
Moreover, the documents submitted by the SBU are directed not only against Bogdan. They are nothing less than a declaration of war against all left-wing and socialist opposition to the Zelensky regime and, specifically, the International Committee of the Fourth International and its public organ, the World Socialist Web Site.
The central allegation leveled against Bogdan Syrotiuk is that he is guilty of high treason. The basis of this charge is that Bogdan has been for the past two years “engaged in the preparation of publications commissioned by representatives of a Russian propaganda and information agency, the World Socialist Web Site” [emphasis added.]
The World Socialist Web Site is denounced as an instrument of “an active information war against Ukraine” being waged by Russia, which

uses the so-called “left-wing” propagandists and their information platforms (websites, media and social platforms) to discredit the support of Ukraine by international partners, justify Russia’s armed aggression against Ukraine, accusing Western countries of creating conditions under which Russia was forced to launch the so-called special military operation, fomenting wars in Ukraine by providing it with weapons, etc. As a result, they are used by Russia to systematically convey pro-Kremlin narratives to the population of Ukraine and Ukraine’s allied countries…
Since the beginning of Russia’s full-scale invasion of Ukraine, the World Socialist Web Site “WSWS” has regularly published articles in various languages aimed at discrediting Ukraine and representatives of governments around the world for assisting Ukraine in its fight against the aggressor state.

The ICFI’s opposition to the US-NATO war in Ukraine is an essential element of its political program, deeply rooted in the socialist and internationalist principles of the Trotskyist movement. The attempt of the Ukrainian regime to portray this opposition as an instrument of Putin’s propaganda network is as viciously mendacious as it is politically absurd. The intransigent opposition of the International Committee of the Fourth International to the Putin regime—which emerged as a consequence of the Stalinist bureaucracy’s final betrayal of socialism and the restoration of capitalism in the former USSR—is a fundamental political fact that is substantiated not only in written texts numbering in the hundreds, but also in the exhaustively documented activity of the Trotskyist movement spanning decades.
True to its fascist character, the Ukrainian regime is operating on the basis of the well-known precept of Hitler and his propaganda minister, Joseph Goebbels: “The bigger the lie, the more readily it will be believed.”
In this particular case, the Zelensky regime seems to believe that the scale of the SBU lies are of such a magnitude that they will simply overwhelm the thinking public. It thus expects that public opinion will accept that the Putin regime is directing the work of the WSWS, which the SBU indictment describes as

an online publication of the world Trotskyist movement, the International Committee of the Fourth International and its affiliated sections in the Socialist Equality Parties around the world, which covers the main socio-political problems around the world from the position of revolutionary opposition to the capitalist market system, with the aim of establishing world socialism through socialist revolution.

At no point does the SBU attempt to explain the contradiction that wrecks its case against Bogdan, i.e., that the political principles that he upholds as a socialist and internationalist opponent of wars waged by the capitalist ruling class are irreconcilably hostile to the policies of the Putin regime, including its invasion of Ukraine.
It attempts to evade the contradiction by simply lying. The indictment claims that Bogdan’s activities, “acting on the instructions of a representative of the World Socialist Web Site,” consisted of “supporting and justifying the conduct of the Russian aggressive war on the territory of Ukraine…”
Every word is a lie. The opposition of the ICFI, its affiliated organizations, and the WSWS to the Russian invasion, in line with its hostility to the Putin regime, is a political fact that is documented in hundreds of articles that have been posted since the first day of the invasion.
On February 24, 2022, the day of the Russian invasion, the ICFI posted a statement on the WSWS titled: “Oppose the Putin government’s invasion of Ukraine and US-NATO warmongering! For the unity of Russian and Ukrainian workers!” It began:

The International Committee of the Fourth International and the World Socialist Web Site denounce the Russian military intervention in Ukraine. Despite the provocations and threats by the US and NATO powers, Russia’s invasion of Ukraine must be opposed by socialists and class-conscious workers. The catastrophe that was set in motion by the dissolution of the Soviet Union in 1991 cannot be averted on the basis of Russian nationalism, a thoroughly reactionary ideology that serves the interests of the capitalist ruling class represented by Vladimir Putin.
What is required is not a return to the pre-1917 foreign policy of tsarism, but, rather, a revival, in Russia and throughout the world, of the socialist internationalism that inspired the October Revolution of 1917 and led to the creation of the Soviet Union as a workers state. The invasion of Ukraine, whatever the justifications given by the Putin regime, will serve only to divide the Russian and Ukrainian working class and, moreover, serve the interests of US and European imperialism.
In the two major statements that he has made during the past week, Putin has justified his actions by enumerating the provocations and crimes of the United States. There is, no question, much that is factually true in his denunciation of Washington’s hypocrisy. But the viciously anti-communist and xenophobic ideology that he invokes and the interests that he claims to be defending are thoroughly reactionary and incapable of appealing to the broad mass of the working class in Russia, let alone in Ukraine and throughout the world. A substantial section of the working class in Russia and Ukraine will be repelled by the cynicism of Putin’s glorification of the heroic struggle waged by the Soviet Union against Nazi Germany in World War II while denouncing the October Revolution and the existence of the USSR as a multi-national state.

The ICFI insisted that the socialist opposition to imperialism was incompatible with any form of national chauvinism, and, therefore, rejected all the justifications given by the Putin regime and its apologists for the invasion. Their invocation of “national defense” could not be accepted by socialists. The defeat of imperialism and its overthrow was possible only through the revolutionary struggle of the international working class. The ICFI statement cited the words of Trotsky: “Not to bind itself to the national state in time of war, to follow not the war map but the map of the class struggle, is possible only for that party that has already declared irreconcilable war on the national state in time of peace.”
The ICFI called “for an immediate end to the war,” and explained: “In opposing the invasion of Ukraine, we denounce the policies of US/NATO imperialism, whose claims to be defending democracy and human rights are blood-drenched with hypocrisy.”
This political declaration elaborated the principles and policy that have guided the work of the ICFI and WSWS since the war began.
On February 26, 2022 the International Committee held an international webinar, in which its opposition to the war was emphatically advanced. Among the speakers, in addition to myself, were Nick Beams, a longtime leader of the International Committee’s Australian section, Johannes Stern, a leader of the ICFI in Germany, Thomas Scripps, a leading member of the ICFI’s section in Britain, Joseph Kishore, the national secretary of the Socialist Equality Party in the United States, and Evan Blake, another leading member of the SEP (US).
The ICFI has never wavered from the principled opposition to the policies of NATO and Russia that it advanced in the first days of the war.
The relationship between the ICFI and the comrades of the YGBL coincided almost exactly with the outbreak of the war. They were attracted to the ICFI precisely because of its opposition to both the war and the national chauvinism of the Russian and Ukrainian regimes.
The SBU indictment charges that the World Socialist Web Site assigned to Bogdan “the task of preparing, writing, editing and publishing … both on the WSWS website and other communist-oriented media, articles, publications, comments, etc. aimed at spreading pro-Russian narratives related to the armed aggression of the Russian Federation against Ukraine, which began on February 24, 2022, to which [Bogdan Syrotiuk] gave his voluntary consent.”
In support of this claim, the SBU references a YGBL statement titled, “For the organization of an international movement of workers and young people against war!” It claims that this document, posted on the World Socialist Web Site on October 12, 2022, includes “fragments, statements, sentences and phrases… which contain justification of the armed aggression of the Russian Federation, which began in 2014…”
The actual document clearly exposes this claim to be a lie. There is not a single sentence in the YGBL declaration that indicates support for the invasion of Ukraine. The SBU cites selectively from the document, including passages only from numbered paragraphs 4, 7, 8, 10 and 13. Paragraphs 4 through 8—the SBU interrupts the continuity of the YGBL’s analysis by leaving out paragraphs 5 and 6—provide a concise Marxist explanation of the objective capitalist crisis and political aims that underlay the instigation of the war by the United States and its NATO allies. They state:

1. The new world order that the United States wants to establish looks like this very possible picture: Russia and China are to be subordinated to imperialism and divided, if that is necessary to maintain direct control over their natural, industrial-technological and human resources.
   
2. The European imperialist powers support the United States for their own place in the new redivision of the world. At the same time, European imperialism, while placed on rations by the United States, sees a way out of its economic and geopolitical predicament only in a redivision of the world in which it can regain its former greatness.
   
3. Japan, South Korea and Australia support the US only as much as it suits their interests in the struggle against China in the Pacific region. These countries will support the US as long as it allows them to compete with China. The process of dividing spheres of influence will revive the contradictions between the Pacific capitalist powers, which are as much in limbo as Europe.
   
4. The crisis of 2008 revived class struggles around the world. The Arab Spring of the early 2010s is vivid evidence of this revival. It forced US and European imperialism to take more decisive measures. In 2014, they supported a coup d'état in Ukraine. Through this coup, the US was able to create all the conditions to build a bridgehead in a future war against Russia.
   
5. The Covid-19 pandemic that erupted in 2020 exacerbated the contradictions of capitalism and was the trigger for a more rapid expansion of US imperialism in preparation for war against Russia and China. The US embarked on a more provocative path of abandoning the “one-China” policy, and increasing its support for Ukraine, as expressed in the NATO summit in August 2021, which supported Zelensky’s “Crimean platform.”
   

Significantly, the SBU leaves out paragraph 9 of the YGBL declaration, which presents a scathing indictment of the Putin regime. That paragraph reads:

The reactionary regime of Vladimir Putin emerged from the treacherous dissolution of the Soviet Union by the Stalinist bureaucracy and the restoration of capitalism. The policies of Putin, in the final analysis, are aimed at safeguarding the wealth of the post-Soviet oligarchy against the pressure of Western imperialism from above and, even more critically, against the movement of the Russian working class from below.

The SBU does cite paragraph 10, which continues the critique of the Putin regime, stating:

Within this geopolitical and social context, Putin’s adventurist invasion of Ukraine on February 24 was the Russian oligarchy’s response to NATO’s relentless expansion to the east. The Putin regime’s main objective was to achieve through the pressure of its “Special Operation” a new round of talks with the US-NATO, since the last round ended up crossing “red lines” on the part of the US-NATO, which caused Putin’s invasion [emphasis added].

The characterization of Putin’s invasion as “adventurist” is in no way compatible with what the SBU claims to be a “pro-Russian narrative.” Obviously recognizing the fragility of its attempt to portray the YGBL statement as pro-Putin propaganda, the SBU decided against further citations from the document, leaving out the YGBL’s development of its denunciation of Putin’s policies in paragraphs 11 and 12, which assert:

1. The Russian bourgeoisie’s desire for an “equal partnership” with the West was one of the most utopian delusions. This delusion, historically derived from Stalin’s policy of “Popular Fronts” and then “peaceful coexistence,” developed among the fledgling class of Russian capitalists in the 1990s.
   
2. The Putin regime has not gotten rid of this utopian delusion. Its whole policy has been to maneuver and seek compromise with the West, with whom the Russian oligarchy wanted to be “on equal footing.” Except that Western imperialism, with its conquering ambitions for Russia, did not care about these conciliatory tones of Putin’s regime.
   

The SBU also chose not to cite paragraph 17 of the YGBL statement, which declares:

The course of the war after Putin’s invasion of Ukraine increasingly emphasizes the reactionary nature of this invasion. While claiming to be fighting for the independence of the Russian people from the threat of Western imperialism, Putin is in fact only defending the independence of the Russian oligarchy to exploit the Russian working class and the country’s raw material wealth.

Paragraph 18, which is also left uncited, further demolishes the SBU’s indictment of Bogdan, the YGBL and the WSWS as instruments of Russian propaganda. The paragraph asserts that

the Putin regime has no way out of the current crisis for Russian society. It will not have such a way out in the future. All of the military and political activities of the Putin regime will only contribute to the escalation of Western imperialism and the deterioration of conditions for the Russian, Ukrainian and international working class.

The SBU also failed to cite paragraphs 19 and 20, which presciently warned of the catastrophe to which the war could lead.

1. The prospects for the present war, when thought within the framework of the capitalist system, are very bleak. First, this war will take on a long-term character and will not only be fought between Ukraine and Russia. It is the first step in inflaming the world situation to the point that the threat of a third world war is simply inevitable. All countries of the world will take part in the future war.
   
2. Secondly, the nature of the war will be determined by the policies of the ruling classes, which now stand on a blatantly anti-human position. The ruling classes are recklessly moving toward the use of nuclear weapons in the conflict, thereby creating the real possibility of a nuclear Armageddon. The specter of planetary destruction arises from the insane policies of imperialist and capitalist governments. The recklessness of the ruling capitalist elite compels young people to ask whether they will be allowed any future at all.
   

The SBU specifically cites this document as proof of Bogdan Syrotiuk’s treasonable activity. But the text of this document conclusively refutes the charge that Bogdan and the YGBL are advancing a pro-Putin narrative.
Moreover, and most decisive, the Ukrainian regime does not present a scintilla of evidence to substantiate its absurd and lying claim that the World Socialist Web Site is a “Russian propaganda and information agency.” With this filthy slander, the Zelensky regime betrays—notwithstanding the ongoing war with Russia—the lingering influence of Stalinism’s rabid hatred of Trotskyism. As in Russia, the transfer of power in Ukraine from Stalinist bureaucrats to capitalist oligarchs has not required any change in the methodology of the political police. The same techniques of fabrication and slander, utilized by the Stalinist regime against Trotskyists in the era of the Moscow Trials and the terror of 1936-39, remain operative in Kiev.
Bogdan Syrotiuk stands accused of treason and faces the threat of a life-long prison term that is the equivalent of a death sentence. But the allegations against Bogdan are based entirely on articles and speeches he has posted on the World Socialist Web Site, in which he has declared his opposition, as a socialist internationalist, to the capitalist regimes of Zelensky and Putin and the ongoing war that has cost hundreds of thousands of Ukrainian and Russian lives.
The SBU indicts Bogdan for advancing in his speeches and writings posted on the World Socialist Web Site “which are accessible to everyone in the world, including citizens of Ukraine” information that exposes the reactionary character of the Ukrainian regime and the war.
The SBU declares that Bogdan’s “criminal actions were stopped only with the intervention of a law enforcement agency.” What a devastating self-exposure of the claims that the US-NATO proxy war is being waged to defend democracy in Ukraine.
The reality is that Ukraine is a fascistic dictatorship, which applies police methods to stop the expression of popular opposition to the policies that have brought untold suffering and death to the people.
The arrest of Bogdan Syrotiuk comes precisely at a point of mounting popular opposition to the Zelensky regime. On May 18, a new and vastly unpopular mobilization law that will vastly expand the recruitment dragnet of Ukrainian military goes into effect. Even the New York Times has expressed doubts about Zelensky’s ability “to find new troops to relieve a weary, often demoralized force.”
In an article posted on the World Socialist Web Site on April 30, Maxim Goldarb, a Ukrainian socialist who has been persecuted by the Zelensky regime, reported: “More and more Ukrainian men are desperately trying to flee the country, unwilling to die for someone else’s selfish purposes.”
He added:

It is not the rich minority, but the poor majority—the unemployed, workers, peasants, teachers, doctors, office workers—that will be sent into the bloody meat grinder. Now, with the adoption of the new law, the number of men deprived of basic human rights, who will be captured and hunted down like animals and sent to the front, will increase many times over.
The profits of those who benefit from this war will also increase many times over … These huge profits will be divided up between the military-industrial complex, its lobbyists in the American and European establishment, and the Ukrainian oligarchic top brass.

Bogdan Syrotiuk’s life is in danger. In the environment of terror that exists within Ukraine, he is deprived of all means to defend himself. Efforts to obtain competent legal representation have been undermined by government threats against defense lawyers. No less than five attorneys have declined to represent Bogdan because to do so would expose them to significant physical danger.
The significance of the fight to defend Bogdan and secure his freedom extends beyond Ukraine. His incarceration is yet another example of the growing international assault on democratic rights as imperialism escalates its military operations throughout the world. The political conspiracy to destroy Julian Assange set into motion a process that is replicated throughout the world.
Those who oppose and expose the crimes of the imperialist regimes are targeted for persecution by the state. The assault on basic democratic rights—first and foremost, freedom of thought and speech—is always justified on the basis of lies.
The opponents of Israel’s genocidal war against Gazans are denounced as anti-Semites, even when the protesters are Jewish. In the denunciation of Bogdan Syrotiuk as an agent of Russia for opposing the proxy war in Ukraine, the same lying method is at work.
The real reason for the arrest and persecution of Bogdan Syrotiuk is that he is fighting for the unity of the Ukrainian, Russian and international working class against the ruling capitalist elites of all countries. As Comrade Andrei Ritsky of the Russian branch of the Young Guard of Bolshevik Leninists explained so eloquently in a speech delivered at the May Day 2024 celebration held by the International Committee:

The only “crime” that Bogdan committed was his conviction that Ukraine can become truly free only through the independent struggle of the Ukrainian working class, acting together with the international working class against imperialism and war. He advanced a principled political position based on a Marxist understanding of the war, opposed to the fanatical worship of Ukrainian nationalism as well as the reactionary Russian nationalism of the Putin regime. Like our entire movement, he has fought for the unification of workers in Russia and Ukraine with the workers in the imperialist countries, to put an end to a fratricidal war that has claimed the lives of at least half a million Ukrainians and tens of thousands of Russians.

He concluded his remarks with a declaration of the fundamental perspective that underlies the work of the Fourth International:

No bourgeois regime is capable of resolving the crisis other than through war and destruction, because any other way would be contrary to its fundamental capitalist interests. The contradictions of capitalism cannot be resolved within national borders and on the basis of a defense of private property. Only the international working class armed with the program of world socialist revolution will be able to put an end to the wars and resolve the fundamental crisis. To do so, however, it must fight for its unity with its brothers and sisters around the world.

The International Committee of the Fourth International calls for a global campaign to demand the immediate release of Bogdan Syrotiuk from prison. The fight for Bogdan’s freedom must be taken up by workers, students and all those who are committed to the defense of democratic rights and opposed to the escalation of imperialist wars that, unless stopped, threaten humanity with a nuclear catastrophe.
Join the fight to Free Bogdan. Circulate this statement as widely as possible on social media. Bring this case to the attention of co-workers, fellow students, and friends. To sign a petition demanding Bogdan’s release, contribute funds toward the defense campaign, and become personally active in the fight for his freedom, go to wsws.org/freebogdan.

Anyone who has been highjacking, invading Reddit in efforts to get me to break NO CONTACT and react poorly. ( Which I did at times). Since you still refuse to comment below on my post yesterday to get everything out in the open in public forum. Dox me, expose me , rant, call me names, etc. All welcomed yesterday on the post. Here's your chance again. I am not ever going back. No CONTACT means NO CONTACT. If don't want to expose or be exposed via educational purposes platform simply respect the NO CONTACT. Comment below 👇 Your former relation to me, and your name and what you have been doing. If you don't know me personally and are an unwitting flying monkey please reveal yourself by first name and who you have been defending through your stalking by proxy. Btw my name is Gabrielle Cook. See link for education on family Mobbing : In the comments. I am expecting no one to comment below to actually do as a ask because they seek to due me great harm covertly. Just like I stated in my post yesterday. Come on now. Prove me wrong.

Anyone who has been highjacking, invading Reddit in efforts to get me to break NO CONTACT and react poorly. ( Which I did at times). Since you still refuse to comment below on my post yesterday to get everything out in the open in public forum. Dox me, expose me , rant, call me names, etc. All welcomed yesterday on the post. Here's your chance again. I am not ever going back. No CONTACT means NO CONTACT. If don't want to expose or be exposed via educational purposes platform simply respect the NO CONTACT. Comment below 👇 Your former relation to me, and your name and what you have been doing. If you don't know me personally and are an unwitting flying monkey please reveal yourself by first name and who you have been defending through your stalking by proxy. Btw my name is Gabrielle Cook. See link for education on family Mobbing : In the comments. I am expecting no one to comment below to actually do as a ask because they seek to due me great harm covertly. Just like I stated in my post yesterday. Come on now. Prove me wrong.

I have been using Docker for years now and never knew this until about 20min ago. I have never seen this mentioned anywhere or in any tutorial I have ever followed.
When you spin up a docker container using the host network its port mappings will override your firewall rules and open those ports, even if you already created a rule to block that port. Might not be that big of a deal unless you’re on a publicly accessible system like a VPS!
When you’re setting up a container you need to modify your port bindings for any ports you don’t want accessible over the internet.
Using NGINX Proxy Manager as an example:

ports: - ‘80:80’ - ‘443:443’ - ‘81:81’ 

Using these default port bindings will open all those ports to the internet including the admin UI on port 81. I would assume most of us would rather manage things through a VPN and only have the ports open that we truly need open. Especially considering that port 81 in this case is standard http and not encrypted.
To fix this was surprisingly easy. You need to bind the port to the interface you want. So if you only want local access use 127.0.0.1 but in my example I’m using Tailscale.

ports: - ‘80:80’ - ‘443:443’ - ‘100.0.0.1:81:81’ 

This will still allow access to port 81 for management, but only through my Tailscale interface. So now port 81 is no longer open to the internet, but I can still access it through Tailscale.
Hopefully this is redundant for a lot of people. However I assume if I have gone this long without knowing this then I’m probably not the only one. Hopefully this helps someone.

Update:

There seems to be a decent amount of people in the comments who don't seem to realize this is not really referring to systems behind NAT. This post is mostly referring to those who are directly open to the internet where you are expected to manage your own firewall in the OS. Systems such as VPS's, or maybe someone who put their server directly in a DMZ. Any system where there is no other firewall in front of it.

Any data analysts/web sleuth programming geniuses out there among us?
Hey folks,
So this morning I had a bit of an epiphany. Unfortunately, it’s not something I perfectly understand well enough to act on it.
A few months ago I was listening to a podcast about how a team of investigative journalists discovered that an army of bots based out of Saudi Arabia took aim at Amber Heard online during the trial vs. Johnny Depp. First off; I don’t have a dog in that race and from what I saw during that trial I think it’s fair to say that that relationship was pretty fucked up so the idea that an army of Saudi bots tried to influence public opinion on Johnny Depp is at least conceivably possible. I remember personally taking Johnny Depps side during the trial but that podcast made me doubt whether I had just become victim to propaganda.
So what has this got to do with GME?
Well it got me thinking as to whether we had folks in our community who can analyse large volumes of data. Over the last week we have seen a huge influx of what appear to be shill bots on this sub. But one place this seems to have been more dramatic was Twitter (I can’t bring myself to refer to it as X). What if we could figure out a way to crowd source the collection of seemingly bot posts about GME, and see if there are any commonalities among them. The first question we could answer (although I think we all know the answer ourselves intuitively) is what percentage of these anti-GME posts are organic and what percentage weren’t? From there we could look to see if we could figure out where these are coming from. Over this saga we have proposed many villains in this sub; Mr Left, K Griffin, B Hwang, Archegos, Credit Suisse (by proxy of Archegos, now UBS. Then of course we have S Cohen, Vlad who robbed the hood, Apex Clearing, the DTCC etc etc etc.(I had to write names like this because when I tried to post the full names the post was auto-removed… suspicious much?) it’s practically impossible to figure out who is sitting with a massive net-short position on GameStop. If we were to identify who’s funding these bot farms, we could possibly figure out who it is that has the largest vested interest in controlling the narrative on GameStop.
I work as a product manager for a tech company and while I don’t know how to actually do anything technical, I kind of understand how you might go about a task like this if you had the right resources available to you. I will caveat that what I am about to say will show how limited my technical capabilities are, but nonetheless here goes; we would first need to collect all the posts, comments and tweets and associated accounts with negative sentiments about GameStop. I believe after that we would need to use some sort of analytics tool like Information Tracer dot com (referenced in the podcast as a tool used to identify such disinformation campaigns)
As I say I know sweet fuck all about how to do any of this. I do know though that our Ape Historian has been collecting info and posts from this sub for a long time. The main thing that currently seems out of reach is someone who can analyse large data sets and write algorithms to spot patterns in these accounts. For that we would need some sort of applied scientist who could perform such analysis. So with that said, do any of you know how to perform such analysis? I have to thing that among us there must be at least 1 person with these skills. I’d be happy to fund (within reason I’m a europoor) such a campaign if the right person came forward to work on this.
This is just an idea, hoping this strikes a cord with our community.
Buy Hold DRS

Focused Compounding Core Proxy Site
https://www.prkaproxyfight.com/
Focused Compounding Filings
https://www.prkaproxyfight.com/fc-filings
Some Company Data (Verify Correctness)
https://docs.google.com/spreadsheets/d/19dTH50zUNafXY9FJ70_oYQuDLXASbdEX_RnQY4foWVU/edit?usp=sharing
Still no position in this one, but it's looking pretty interesting. Happy Saturday Everyone.
Focused Compounding Fund, L.P. Publicizes Plan for Parks! America https://www.globenewswire.com/en/news-release/2024/05/08/2877888/0/en/Focused-Compounding-Fund-L-P-Publicizes-Plan-for-Parks-America.html
DALLAS, May 08, 2024 (GLOBE NEWSWIRE) -- Focused Compounding Fund, L.P. (“Focused Compounding”) today issued its operating plan (its “Operating Plan”) for Parks! America, Inc. (OTCPink: PRKA) (“Parks!” or the “Company”). If all four (4) of Focused Compounding’s nominees are elected to the Company’s board of directors (“Board”) at the upcoming annual meeting of Parks!, scheduled for June 6, 2024 at 10 a.m. Eastern Time (the “Annual Meeting”), such new directors will work with the other members of the Company’s Board to implement the Operating Plan, subject to their fiduciary duties. Focused Compounding urges shareholders to vote for Focused Compounding’s nominated director candidates.
The full text of the Operating Plan follows:
Focused Compounding’s Plan for Parks! America
The upcoming annual meeting of Parks! America, Inc. (“Parks!” or the “Company”) scheduled for June 6, 2024 at 10 a.m. Eastern Time (the “Annual Meeting”) is a fight to determine the future of the Company. Focused Compounding has a plan it believes will maximize value for all shareholders. If elected at the upcoming Annual Meeting, Focused Compounding’s new directors will work with the Company’s other members of the board of directors (“Board”) to implement the plan, subject to their fiduciary duties.
~Return Capital to Shareholders~
Capital will be returned in two phases:
-Phase one will consist of multiple one-time events intended to return the greatest amount of cash to shareholders in the shortest amount of time.
-Phase two will consist of ongoing cash returns to shareholders.
Phase One
Sell the two unprofitable parks: (1) Aggieland, and (2) Missouri.
Add prudent leverage to the Georgia park (e.g. 3x debt/EBITDA).
Pay out all cash beyond what’s needed to maintain a prudent leverage ratio.
Cash could be returned through:

1. a tender offer or stock buyback, and
2. one or two special dividends.

Total cash returned as a result of all Phase One actions combined (i.e. selling both parks and adding leverage) is expected to be between 10 cents and 25 cents per share (example: 25-65% of current market cap based on the May 7, 2024 closing share price*).*
Phase Two
If the company receives a high EBITDA multiple offer for the Georgia park, sell the entire Company.
Otherwise: each year, pay out a special dividend equal to all cash above the amount needed to maintain the prudent leverage ratio (example: 3x debt/EBITDA).
Cash returned annually during phase two is expected to be around 2 cents per share (example: 5% dividend yield on current stock price).
~Improve Investor Relations~

• Conduct a reverse stock split of 1-for-100 (example: new share price of $20 to $60 a share)
• Add a head of investor relations
• Host quarterly calls with the majority of time spent on investor Q&A
• Host in-person annual shareholder meetings (with a Q&A session) held at the Georgia Park
• Host an in-person investor day (with a Q&A session) at a location that is easily accessible for finance professionals to attend

~Divide Capital Allocation and Park Operating Responsibilities~
After selling both unprofitable parks, there will be two remaining entities:

1. Wild Animal Safari Georgia – The Georgia park. A pure operating subsidiary responsible for 100% of the company’s earnings. The president will be an experienced amusement park executive, paid a base salary plus incentive compensation based on increases in the Georgia Park’s EBITDA. We believe incentive compensation should represent greater than 50% of this executive’s total pay.
2. Parks! America, Inc. – A pure holding company with no operations. The president would be Geoff Gannon, holding an unpaid position.

The board’s “Strategic Growth Committee” will be replaced by a “Capital Allocation Committee.” This committee will meet very frequently.
~Improve Incentivization of Employees~
The President of Wild Animal Safari Georgia (the operating subsidiary) and all employees at the Georgia park will participate in a bonus pool the size of which will be determined by year-over-year improvements in EBITDA. No bonuses will be paid when there is no year-over-year improvement in EBITDA.
______________________________________________________________________________
The implementation of this plan is contingent on the election of Focused Compounding’s four (4) director-nominees at the Company’s Annual Meeting. The financial forecasts contained herein are not a guaranty of what will happen, but rather are based on our market knowledge, and what we believe to be conservative forecasts.
Focused Compounding is currently in a proxy contest with the Company, the outcome of which may determine the future of the Company. The Plan outlines what Focused Compounding’s nominees would propose to do if they are elected to the Board of Parks! America at the Annual Meeting, subject to their fiduciary duties.

I have a very unusual hobby in that I like to download my Location History from Google and plot it in GIS software where I then intersect it with various polygons to get a proxy of how much time I have spent in various geographic areas.
Almost two years ago, I noticed that my file included this "Tombstones.csv" file in my data. This showed that certain ranges of my Location History were deleted, and it said when those ranges were deleted. These entries in these Tombstones files seem to last around two months, and then those too are gone forever (so if you hadn't downloaded your data in the last two months, you could have lost data without even knowing it). Since I download this data extremely regularly, I usually have backups of this data, so I can see exactly what they deleted (or I can see what they didn't delete on either side and interpolate from memory). In the past, I had noticed some weak patterns: much of the data that was deleted when I was riding public transit, which I do fairly often, but much less frequently than I drive my personal vehicle. So that stood out to me, but wasn't enough to discount the possibility of a coincidence. I also noticed that many of the times of deletion (when they actually deleted the data, not the data timeframe itself) were when I was on board an airplane. I don't fly all that much, so this was curious as well.
But today I finally have definitive proof that these deletions aren't random. Today I downloaded my data and I found four new Tombstones: all from 2022 or 2023, so I have that data backed up and can see exactly what they deleted. All four times were when I went to this physical therapy clinic across town. I went to this clinic four times, and this week all four of those drives were deleted, and nothing else.
This is just extremely bizarre to me, and for years I have had no luck getting anybody at Google to explain this. Does anybody have any idea what is going on here? I have asked friends to download their own data and they have Tombstones as well, so I know this is something that is likely happening to everybody with a Google account with Location History turned on.

I have a question. If I have a separate public web server running on Linux on a fast panel, other computers have private microservices that I want to route through a router to a reverse proxy, but the forwarding of ports 80 and 443 is already occupied by the web server, is there a solution?

https://gamestop.gcs-web.com/node/20481/html
there were 306,186,849 shares of our common stock outstanding. ... Holders of our common stock are entitled to receive such dividends as may be declared by our board of directors from time to time out of assets or funds legally available for payment, subject to the rights of the holders of our preferred stock, if any. ... Anti-Takeover Provisions
Charter
Our charter and bylaws may be deemed to have an anti-takeover effect and may delay, defer or prevent a tender offer or takeover attempt that a stockholder might consider in its best interest, including those attempts that might result in a premium over the market price for the shares held by stockholders. Our charter contains a provision expressly stating that we are not subject to Section 203 of the Delaware General Corporation Law, which would otherwise restrict certain transactions with an interested stockholder. ... Authorized But Unissued Shares
The authorized but unissued shares of common stock and preferred stock are available for future issuance without stockholder approval. These additional shares may be utilized for a variety of corporate purposes, including future public offerings to raise additional capital, corporate acquisitions and employee benefit plans. The existence of authorized but unissued shares of common stock and preferred stock could render more difficult or discourage an attempt to obtain control of us by means of a proxy contest, tender offer, merger or otherwise. ... DEPOSITARY SHARES. General
We may, at our option, elect to offer fractional interests in shares of a series of preferred stock as depositary shares, rather than full shares of preferred stock. In such event, we will issue depositary receipts for those depositary shares, each of which will represent a fraction of a share of a particular class or series of preferred stock, as described in the related prospectus supplement. ... The prospectus supplement relating to a series of depositary shares will set forth the name and address of the Preferred Stock Depositary with respect to those depositary shares. Subject to the terms of the deposit agreement, each owner of a depositary share will be entitled, in proportion to the applicable fraction of a share of preferred stock represented by the depositary share, to all of the rights, preferences and privileges of the preferred stock represented thereby (including dividend, voting, conversion, exchange, redemption, and liquidation rights, if any).
The depositary shares will be evidenced by depositary receipts issued pursuant to the applicable deposit agreement. Depositary receipts will be distributed to those persons purchasing the fractional interests in shares of preferred stock as described in the applicable prospectus supplement. ... Dividends and Other Distributions
The Preferred Stock Depositary will distribute all cash dividends or other cash distributions received in respect of a series of preferred stock to the record holders of depositary receipts relating to that preferred stock in proportion, insofar as possible, to the number of the depositary receipts owned by those holders on the relevant record date (subject to certain obligations of holders to file proofs, certificates and other information and to pay certain charges and expenses to the Preferred Stock Depositary). The Preferred Stock Depositary will distribute only such amount, however, as can be distributed without attributing to any holder of depositary shares a fraction of one cent, and the balance not so distributed will be held by the Preferred Stock Depositary and added to and treated as part of the next sum received by such Preferred Stock Depositary for distribution to record holders of depositary shares then outstanding.
In the event of a distribution other than in cash, the Preferred Stock Depositary will distribute property received by it to the record holders of depositary shares entitled thereto, in proportion to the number of such depositary shares owned by those holders, unless the Preferred Stock Depositary determines that it is not feasible to make such distribution, in which case the Preferred Stock Depositary may, with our approval, adopt a method it deems equitable and practicable to effect the distribution, including the public or private sale of such property and distribution of the net proceeds therefrom to holders of depositary shares.
The amount so distributed to record holders of depositary receipts in any of the foregoing cases will be reduced by any amount required to be withheld by us or the Preferred Stock Depositary on account of taxes. The deposit agreement will also contain provisions relating to the manner in which any subscription or similar rights offered by us to holders of the preferred stock will be made available to holders of depositary shares.
No distribution will be made in respect of any depositary share to the extent that it represents any preferred stock converted into other securities. ... Redemption of Depositary Shares
If a series of preferred stock represented by depositary shares is subject to redemption, the depositary shares will be redeemed from the proceeds received by the Preferred Stock Depositary resulting from redemption, in whole or in part, of such class or series of preferred stock held by the Preferred Stock Depositary. The redemption price per depositary share will be equal to the applicable fraction of the redemption price and other amounts per share, if any, payable in respect of such class or series of preferred stock. Whenever we redeem preferred stock held by the Preferred Stock Depositary, the Preferred Stock Depositary will redeem as of the same redemption date the number of depositary shares representing shares of preferred stock so redeemed. If fewer than all of the depositary shares are to be redeemed, the depositary shares to be redeemed will be selected by pro rata (as nearly as may be practicable without creating fractional depositary shares), or by any other methods that may be determined to be equitable by the Preferred Stock Depositary.
From and after the date fixed for redemption, all dividends in respect of the preferred stock so called for redemption will cease to accrue, the depositary shares so called for redemption will no longer be deemed to be outstanding, and all rights of the holders of the depositary shares with respect to those depositary shares will cease, except the right to receive the redemption price upon that redemption. Any funds deposited by us with the Preferred Stock Depositary for any depositary shares which the holders thereof fail to redeem shall be returned to us after a period of two years from the date those funds are so deposited. ... Conversion and Exchange of Preferred Stock
The depositary shares are not convertible into common stock or any of our other securities or property. Nevertheless, if so specified in the related prospectus supplement relating to an offering of depositary shares, a record holder of depositary receipts may have the right or obligation to surrender such depositary receipts to the Preferred Stock Depositary, with written instructions to the Preferred Stock Depositary to instruct us to cause conversion of the shares of preferred stock represented by the depositary shares, as evidenced by such depositary receipts, into whole shares of common stock, and we agree that upon receipt of such instructions and any amounts payable in respect thereof, we will cause the conversion thereof utilizing the same procedures as those provided for delivery of preferred stock to effect such conversion. If the depositary shares evidenced by a depositary receipt are to be converted in part only, a new depositary receipt or receipts will be issued for any depositary shares not to be converted. No fractional shares of common stock will be issued upon conversion, and if such conversion would result in a fractional share being issued, an amount will be paid in cash by us equal to the value of the fractional interest based upon the closing price of the common stock on the last business day prior to the conversion.
///////
I'm not in the financial world by any means, but it seems like this report was pretty interesting. Unless of course this is standard fare. It does seem however like they may be releasing some form of digitised token in exchange for shares, which explains DFV's tired Ben affleck meme because presumably hedgefunds can buy a shit load of tokens. I think the point of it though is that they will make the old shares useless after 2 years, so the hedgefunds will have to buy the real shares to supply them to their borrowers so they in turn can get the tokens. But it means they have two years. From what I understand.

Hi all,
I'm having some trouble wrapping my head around the AWS landscape and how best to approach my issue.
I have a system where integration tests are run using AWS Fargate. To run the integration tests, the containers need access to certain subdomains that are inaccessible to the public (pre-prod environments). So, I need to whitelist an IP range, but I'm not entirely sure which IP addresses my Fargate tasks can use as a public IP, and how to reduce the IP range as much as possible.
One option that I've thought of is to just use a protected/private proxy server, but setting up a proxy server is potentially a bit more expensive than just switching a button that I've missed.
What's the best way to go about this? Thanks in advance!

(Originally posted to selfhosted)
Over the past few months, I've tested several self-hosted reverse proxy solutions for my local network and I decided to share my experience for anyone else in the market. Full disclosure: I'm not an advanced user, nor am I an authority on this subject whatsoever. I mainly use reverse proxies for accessing simple local services with SSL behind memorable URLs and haven't dipped my toes into anything more complex than integrating Authentik for SSO. I prefer file-based configuration, avoid complexity, and don't need advanced features; so this list certainly won't be valuable for everyone. Feel free to share your opinions; I'd love to hear what everyone else is using.
Here's my opinionated review of the reverse proxy solutions I've tried, ranked from most likely to recommend to newcomers to least likely:

1. Caddy: As easy as it could possibly get, and by far the most painless reverse proxy I've used. It's extremely lightweight, performant, and modular with plenty of extensions. Being able to configure my entire home network's reverse proxy hosts from a single, elegantly formatted Caddyfile is a godsend. Combined with the VS Code Server for easy configuration from a browser, I couldn't recommend a more painless solution for beginners who simply want to access their local services behind a TLD without browser warnings. Since I have my own FQDN through Cloudflare but don't have any public-facing services, I personally use the Cloudflare DNS provider Caddy addon to benefit from full SSL using just a single line of configuration. Though, if your setup is complex enough to require using the JSON config, or you rely heavily on Docker, you might also consider Traefik.
2. Traefik: Probably the most powerful and versatile option I've tried, with the necessary complexity and learning curve that entails. Can do everything Caddy can do (perhaps even better depending on who you ask). I still use it on systems I haven't migrated away from Docker as the label system is fantastic. I find the multiple approaches to configuration and the corresponding documentation hard to wrap my head around sometimes, but it's still intuitive. Whether or not I'd recommend Traefik to "newcomers" depends entirely on what type of newcomer we're talking about: Someone already self-hosting a few services that knows the basics? Absolutely. My dad who just got a Synology for his birthday? There's probably better options.
3. Zoraxy: The best GUI-based reverse proxy solution I'm familiar with, despite being relatively new to the scene. I grew out of it quickly as it was missing very basic features like SSL via DNS challenges when I last tried it, but I'm still placing it high on the list solely for providing the only viable option for people with a phobia of config files that I currently know of. It also has a really sleek interface, although I can't say anything about long-term stability or performance. YMMV.
4. NGINX: Old reliable. It's only this far down the list because I prefer Traefik over vanilla NGINX for more complex use cases these days and haven't used it for proxy purposes in recent memory. I have absolutely nothing bad to say about NGINX (besides finding the configuration a bit ugly) and I use it for public-facing services all the time. If you're already using NGINX, you probably have a good reason to, and this list will have zero value to you.
5. NGINX Proxy Manager: Unreliable. It's this far down the list because I'd prefer anything over NPM. Don't let its shiny user-friendly frontend fool you, as underneath lies a trove of deceit that will inevitably lead you down a rabbit hole of stale issues and nonexistent documentation. "I've been using NPM for months and have never had an issue with it." WRONG. By the time you've read this, half of your proxy hosts are offline, and the frontend login has inexplicably stopped working. Hyperbole aside, my reasoning for not recommending NPM isn't that it totally broke for me on multiple occasions, but the fact that a major rewrite (v3) is supposedly in the works and the current version probably isn't updated as much as it should be. If you're starting from scratch right now, I'd recommend anything else for now. Just my experience though, and I'm curious how common this sentiment is.

Honorable mentions:

• SWAG: Haven't used this one since I moved away from Docker, but I've seen it recommended a ton and it seems the linuxserver.io guys are held in pretty high regard. It's definitely worth a look if you use Docker or want an alternative Traefik.
• HAProxy: I didn't include it in the list because I was using the OPNsense addon and nearly went insane in the process. It might have just been the GUI, but it's the only reverse proxy solution I've used that made me actively feel like a moron. Definitely has its purpose, but I personally had no reason to keep putting myself through that

Edit: Clarified my reasoning for the NPM listing a bit more as it came off a bit inflammatory, sorry. I lost a lot of sleepless nights to some of those issues.

(This was originally a comment, but I decided to make it a post to share with others.)
Over the past few months, I've tested several self-hosted reverse proxy solutions for my local network and I decided to share my experience for anyone else in the market. Full disclosure: I'm not an advanced user, nor am I an authority on this subject whatsoever. I mainly use reverse proxies for accessing simple local services with SSL behind memorable URLs and haven't dipped my toes into anything more complex than integrating Authentik for SSO. I prefer file-based configuration, avoid complexity, and don't need advanced features; so this list certainly won't be valuable for everyone. Feel free to share your opinions; I'd love to hear what everyone else is using.
Here's my opinionated review of the reverse proxy solutions I've tried, ranked from most likely to recommend to newcomers to least likely:

1. Caddy: As easy as it could possibly get, and by far the most painless reverse proxy I've used. It's extremely lightweight, performant, and modular with plenty of extensions. Being able to configure my entire home network's reverse proxy hosts from a single, elegantly formatted Caddyfile is a godsend. Combined with the VS Code Server for easy configuration from a browser, I couldn't recommend a more painless solution for beginners who simply want to access their local services behind a TLD without browser warnings. Since I have my own FQDN through Cloudflare but don't have any public-facing services, I personally use the Cloudflare DNS provider Caddy addon to benefit from full SSL using just a single line of configuration. Though, if your setup is complex enough to require using the JSON config, or you rely heavily on Docker, you might also consider Traefik.
2. Traefik: Probably the most powerful and versatile option I've tried, with the necessary complexity and learning curve that entails. Can do everything Caddy can do (perhaps even better depending on who you ask). I still use it on systems I haven't migrated away from Docker as the label system is fantastic. I find the multiple approaches to configuration and the corresponding documentation hard to wrap my head around sometimes, but it's still intuitive. Whether or not I'd recommend Traefik to "newcomers" depends entirely on what type of newcomer we're talking about: Someone already self-hosting a few services that knows the basics? Absolutely. My dad who just got a Synology for his birthday? There's probably better options.
3. Zoraxy: The best GUI-based reverse proxy solution I'm familiar with, despite being relatively new to the scene. I grew out of it quickly as it was missing very basic features like SSL via DNS challenges when I last tried it, but I'm still placing it high on the list solely for providing the only viable option for people with a phobia of config files that I currently know of. It also has a really sleek interface, although I can't say anything about long-term stability or performance. YMMV.
4. NGINX: Old reliable. It's only this far down the list because I prefer Traefik over vanilla NGINX for more complex use cases these days and haven't used it for proxy purposes in recent memory. I have absolutely nothing bad to say about NGINX (besides finding the configuration a bit ugly) and I use it for public-facing services all the time. If you're already using NGINX, you probably have a good reason to, and this list will have zero value to you.
5. NGINX Proxy Manager: Unreliable. It's this far down the list because I'd prefer anything over NPM. Don't let its shiny user-friendly frontend fool you, as underneath lies a trove of deceit that will inevitably lead you down a rabbit hole of stale issues and nonexistent documentation. "I've been using NPM for months and have never had an issue with it." WRONG. By the time you've read this, half of your proxy hosts are offline, and the frontend login has inexplicably stopped working. Hyperbole aside, my reasoning for not recommending NPM isn't that it totally broke for me on multiple occasions, but the fact that a major rewrite (v3) is supposedly in the works and the current version probably isn't updated as much as it should be. If you're starting from scratch right now, I'd recommend anything else for now. Just my experience though, and I'm curious how common this sentiment is.

Honorable mentions:

• SWAG: Haven't used this one since I moved away from Docker, but I've seen it recommended a ton and it seems the linuxserver.io guys are held in pretty high regard. It's definitely worth a look if you use Docker or want an alternative Traefik.
• HAProxy: I didn't include it in the list because I was using the OPNsense addon and nearly went insane in the process. It might have just been the GUI, but it's the only reverse proxy solution I've used that made me actively feel like a moron. Definitely has its purpose, but I personally had no reason to keep putting myself through that

Edit: Clarified my reasoning for the NPM listing a bit more as it came off a bit inflammatory, sorry. I lost a lot of sleepless nights to some of those issues.

During Putin's visit to China, Putin was greeted with a grand and respectful welcome, highlighting the strongest diplomatic ties between Russia and China.
On the other hand, the USA is burdened with over $34 trillion. The Congressional Budget Office (CBO) projects that interest payments will total $870 billion in fiscal year 2024 and rise rapidly throughout the next decade—climbing from $951 billion in 2025 to $1.6 trillion. In the next decade, net interest payments will be over $12.4 trillion.
If I speak, the majority of typical Americans express their anger towards me and utilize offensive language. This is what I perceive as an authentic representation of American culture. The majority of American lack knowledge, exhibit ignorance, harbor hatred, lack respect, lack curiosity, and struggle to differentiate between right and wrong but are strongly opinionated. In essence, most American citizens prioritize their own desires, disregarding fundamental principles of civility and consciousness. To them, engaging in warfare equates to amusement and a stronger economy.
Following the Second World War, the United States experienced economic prosperity, leading to its emergence as an economic powerhouse. For that reason, most American believe warfare symbolizes power and pride. In contrast, throughout the Dark Ages, Europeans engaged in internal conflicts and launched three Crusades against Muslims, resulting in bloodbaths and destruction, not an economic powerhouse. The Europeans we witness today are a consequence of the deceptive foreign policies implemented by East India Companies in the name of trade rather than warfare. Similarly, the United States we observe today is a product of the "Good Faith financial product and trade currency Dollar," represented by the IMF and World Bank, rather than warfare. Warfare signifies destruction and permission to commit acts of violence and sexual assault.
During the Cold War, all US presidents made great efforts to avoid direct war with the Soviet Union. The rivalry between the Soviet Union and the USA began in the early 1919s, with communism reaching its peak. Both nations engaged in proxy wars using puppets rather than directly confronting each other, as the consequences would have been devastating. After the Cold War, the USA lacked a clear foreign policy, leading to uncertain world relations. The influence of foreign intelligence and lobbyists on the US media can make it challenging to grasp the political landscape. There are concerns that the media shapes the image of US politicians and influences policy decisions and public opinion. Additionally, there are allegations that the media promotes certain candidates and perpetuates false narratives.
As of today, in the first quarter, China sold a significant amount of Treasury and US agency bonds, indicating the country's strategy to diversify its assets away from American holdings amidst ongoing trade tensions.
My prediction was the USA would crash in 2032.

If you suffer from stucking at "SplashScreen.exe" or "EAC.exe"
Please check your Internet connectivity to domain gossip.easyanticheat.net and download.eac-cdn.com (Note as of May 2024, these addresses are not pingable and the services are through HTTPS Port 443)
Especially you're:

1. From a country where has some level of Internet blockage (China, Iran, Vietnam etc.)
2. Your country is not in EasyAntiCheat service area
3. Having a bad Internet connection (Bad routing quality or blacklisted IP)

Why would this happened? Mainly because EAC's server sucks, they don't have global CDN coverage as of May 2024, they only have servers in the US. So when you met one of the condition listed, you may not be able to download the anti-cheat file located in %AppData%\EasyAntiCheat\90 named easyanticheat_wow64_x64.eac and this file is critical for EAC games.
What should I do?
Scene 1: For residential user with dynamic IP, try reconnecting WAN on your router configuration page, getting a new IP usually fix this issuse.
Scene 2: If you're using static IP or NATed by your ISP, you can find a VPN or free proxy. I recommend using VPN because when you play multi-player, and because WD2 is P2P, your connection is not protected and will expose your real Public IP to other players, if you don't want to use a VPN, you can download a Software called Proxifier and proxy the two domains above. (Do not download any program from untrusted sources or download easyanticheat_wow64_x64.eac from 3rd party websites, this file is kept updated by EAC)
Of course then we have scene 3 where EAC's servers are fucked, but that's rare, and you can always check on downdetector.com

I want to get rid of Cloudflare Proxy to protect my home network. It's too restrictive, and I want to use all of my 5Gb fiber internet. Currently, I have my unraid server behind a pfsense firewall, with nat forwarding 80 and 443 to 280 and 2443 to my unraid server running swag. I have proxied cnames on cloudflare that references back to my reverse proxied docker apps. Nextcloud primarily. Everything works perfectly. Except for speed and latency. I want to remove the cloudflare proxy, and install a vps in the mix to hide my public facing IP address.
So I've got a vps running, tailscale on it and my unraid server. I can ping one another, and iperf gives me about 2Gb up and down between the two. I've created simple port forward rules on my VPS that SHOULD route the 80 and 443 traffic to my tailscale IP on ports 280 and 2443. But I curls fail, and if I navigate to my VPS address, the request dies.
What do I need to do to get this thing functioning properly? This shouldn't be a tough task...but for the life of me, I can't figure it out.

Been using godaddy as my domain registar for over 15 years without issue. My setup is using caddy as reverse proxy with several self hosted sites via A records to my public static IP. At first i was having an issue with ERR_TOO_MANY_REDIRECTS on caddy and fixed that by switching to Full(strict). all services are accessable, I host a unifi controller with about 30 sites connected to a CK-GEN2 and a meshcentral server with about 200 endpoints. Now after switching to cloudflare some of the unifi devices on varius sites randomly show offline and reconnect occasionally and some endpoints on meshcentral became offline. rebooting my mesh server will reconnect some of them but leave others that were previously online as now offline. In the traffic dashboard i see about 180k requests in 24 hours and im assuming thats mainly keep alive for unifi and mesh. Is there something i might be doing wrong here?

Tuesday, May 21, the Ventura City Council will decide what to do about Main Street Moves.
Here is the agenda
Here is the staff report on Main Street Moves
The recommendation is:
a. Adopt a Resolution determining that specified portions of Main Street and California Street are no longer needed for vehicular traffic pursuant to California Vehicle Code Section 21101(a)(1).
b. Approve extending the Main Street Moves closure of such streets through January 31, 2025, and find that the continued closure is categorically exempt from the California Environmental Quality Act pursuant to Sections 15301, 15061, and 15300.2(c) of the CEQA Guidelines.
We are getting a whole lotta emails from Peter Goldenring threatening legal action. While I personally think Mr. Goldenring is behind the current lawsuit from the so-called Open Main Street group, the only person who actually signed that lawsuit was Jeff Becker.
We also got an email from Jeremy Ireland.
These will be published in the supplemental packet for the meeting, but that supplemental packet is hard to find and I don't know when it'll come out. So I've put them on my website if you're interested.
A couple things to know: first, I won't support having people in parklets while there's car traffic on the street. Second, I think there's zero chance the parklets could be trotted out only for weekends. Third, I think there's a small chance they could be installed over the summer, though I suspect they'd look like they were made out of pallets and beer kegs.
Fourth, apparently somebody's been running around telling property owners that if we keep it closed to traffic, the city is going to send them a bill for tens of thousands of dollars This is 100% false.
Yes, some of the parklets look super janky. We've adopted design guidelines that would go into effect which would require them to be pretty as a bluebird on sweet pea vine on a sunny day.
The ugly military looking barricades would be replaced by nice looking bollards. Installing bollards requires digging, which requires some archeological care, which is part of the environmental work that is rolled into the whole Main Street Moves study, which has taken forever. Two years ago, Council gave clear direction to get it done. One obstacle has been a single member of the public who has driven staff in circles with constant barrage of demands for documents, and so on.
Finally, watch out, because at least one member of the public who's been going everywhere bashing Main Street Moves has not disclosed he's a proxy, paid by Jeremy Ireland. (You can read an email from Mr. Ireland at my website).

We have a customer request to expose some RHEL packages in CI and our solution was to setup a proxy repo to pull from a mirror, should be a standard use case.
The issue is Sonatype docs for creating a yum proxy will not work for our use case:

1. because our RHEL instances are managed through licensing through AWS, our RHEL instances are not registered and do not have a subscription attached. However, they don't need this because they have ssl certs to authenticate to various RHUI repos configured in `yum.repos.d`. Because our RHEL instances do not have a subscription attached, there is no entitlement to make the `keystore.p12` file used to authenticate the request in Nexus.
2. Even if the request was authenticating, Nexus proxy repo only supports one remote url, while `yum.repos.d` have 4 enabled repos to query
3. RHEL also makes use of a client config server repo to keep the instance and RHEL packages up-to-date. It feels wrong to take the proxy request for repos and separate it from the process Red Hat uses to keep the integrity of their package management.

My idea to resolve this is to setup a RHEL instance that acts as a forward proxy server in our cluster. The idea is this:
When user invokes a yum install, then Nexus forwards the request to proxy, and proxy forwards the request to RHUI, and package is pulled from RHUI and sent back to client.
This should make managing subscription moot, leaving AWS to handle the connectivity and authentication to RHUI, as well as leave the `yum.repos.d` structure intact and referenced with only one yum proxy repo needed in Nexus and still maintain the package integrity provided by the RHEL client config server repo.
So my questions are this: am I on the right track with this approach? Am I correct that Nexus can't handle multiple enabled yum repos without having to making a one-to-one Nexus repo for each yum repo, or how would you handle one Nexus yum repo to many yum repos? And, I'm still really fresh to DevOps and AWS/Kubernetes: how do you point Nexus to this proxy server? We can assume they will be in the same network/cloud/cluster etc but I don't know if there will be extra authentication or a tls handshake needed in order to authenticate the request to the forward proxy? I'm wondering if it's a problem of how pods communicate with one another, but to me I've used a public/private key pair to ever authenticate to my EC2 instances.
I'm also wondering if I still use a proxy repo in Nexus or if I use a hosted repo since we own the RHEL instance? Basically whatever enables us to get these packages

Cisco Router Security
What are the two access privilege modes of the Cisco router?
User EXEC Mode: This is the initial access mode for a router. In this mode, the user can access only a limited set of basic monitoring commands.
Privileged EXEC Mode: This mode provides access to all router commands, such as debugging and configuration commands. It requires a password for access to ensure security.
What is the approach for password for the privileged mode of the router?
enable secret [password]
uses hashing algorithm so that the password is not in plain text but encrypted
How to ensure that all passwords in the router are stored in the encrypted form?
service password-encryption
What is the difference between the Cisco router’s startup and running configurations?
How to save the running configuration into start up configuration?
Startup Configuration: Stored in the NVRAM, this configuration is used to boot the router. It remains unchanged until an administrator explicitly saves the running configuration to it.
Running Configuration: Held in the router’s RAM, this configuration is active on the router. Changes to the router’s configuration are made here and are effective immediately.
Know and be able to configure all aspects of the Cisco router covered in class. For example,
configuring the router interfaces, setting the router OSPF ID, etc.
enable
configure terminal
hostname MyRouter
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.252
clock rate 64000
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0
exit
enable secret mysecretpassword
line console 0
password myconsolepassword
login
exit
line vty 0 4
password myvtypassword
login
exit
crypto key generate rsa
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2
ip route 0.0.0.0 0.0.0.0 192.168.1.254
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
Practical Routing, OSPF, and Security
What is the difference between static and dynamic routing?
Static Routing: Involves manually setting up routes in the router's routing table through configuration commands. These routes do not change unless manually updated or removed. Static routing is simple, secure, and uses less bandwidth but lacks scalability and flexibility.
Dynamic Routing: Automatically adjusts routes in the routing table based on current network conditions using routing protocols. This approach allows for more flexibility, scalability, and fault tolerance, but consumes more resources and can be complex to configure.
What is the difference between link state and distance vector routing?
Distance Vector Routing: Routers using distance vector protocols calculate the best path to a destination based on the distance and direction (vector) to nodes. Updates are shared with neighboring routers at regular intervals or when changes occur. This approach can lead to slower convergence and issues like routing loops.
Link State Routing: Each router learns the entire network topology by exchanging link-state information. Routers then independently calculate the shortest path to every node using algorithms like Dijkstra’s. This results in quicker convergence and fewer routing loops.
Distance Vector Routing: Each router computes distance from itself to its next immediate neighbors. (RIP, EIGRP, & BGP)
-Does not build a full map of the network
-Focuses more on the next hop towards the destination
Link State Routing: Each router shares knowledge of its neighbors with every other router in the network. (OSPF and IS-IS)
-Builds a full map of the network
-Each router shares information
-Maintains a database of the entire network.
Give an example of the distance vector and link state algorithms.
Distance = RIPLink State = OSPF
What type of protocol is Routing Information Protocol (RIP)? Be able to understand
examples and solve problems.
Example of a distance vector protocol
dynamic protocol
-shares routing info with neighboring routers
-an interior gateway protocol that operates within autonomous system
-oldest of all dynamic protocol; RIPv1
-widely used open standard developed by IETF
-a distance vector routing protocol
-limited to maximum 15 hops;

 how rip works -rip sends regular update message (advertisements to neighboring routers) 

-every 30 seconds that resets after each successful ack
-route becomes invalid if it has not received a message for 180 seconds
-RIPv1 (obsolete) uses broadcast, while RIPv2 uses a multicast address -Update message only travel to a single hop
downside : limitations, each router in its table can only have one entry per destination. Have to wait for advertisement for an alternative path, cannot reach hops 15 paths away, little to no security.
What type of protocol is Open Shortest Paths First (OSPF) protocol? Be able to under-
stand examples and solve problems.

• an interior gateway protocol that operates within autonomous systems to build a full map of the network.
  
• widely used open standard developed by IETF
  

-a link state routing protocol

 intra as routing with RIP 

What is the Link State Advertisement (LSA) in OSPF? What is the Link State Database
(LSDB)?
-LSA contains data about a router, its subnets, and some other network information.-OSPF puts all the LSAs from different routers into a Link-State Database (LSDB)
The goal of OSPF is to be able to determine a complete map of the interior routing path to be able to create the best route possible.
The way this is done is that OSPF finds all the routers and subnets that can be reached within the entire network. The result is that each router will have the same information about the network by sending out LSA.
How does each router in OSPF create a map of the entire network?
Step 1 : Acquire neighbor relationship to exchange network information.
Step 2: Exchange database information, neighboring routers swap LSDB information with each other
Step 3: Choosing the best routes, each router chooses the best routes to add to its routing table based on the learned LSDB information.
What is the process for two OSPF routers to become neighbors?
A. a neighbor sends out a Hello packet including the router ID along with subnets that it routes to the given multicast address to a given OSPF area ID.

this is also a way for routers to tell neighbors that they are still on and good to go. 

B. Once other routers receive this packet, they run some checks. The neighboring routers must match the following requirements:
-area id needs to be the same (also used when scaling up OSPF)
-the shared or connecting link should be on the same subnet.
-The Hello and dead timer must be the same.
-the dead timer is having enogh time before the sending router assumes that the neighbor is down.
-this timer is typically 10 secs for point-to-point and broadcast networks.
C. If all is fine, the receiving router will go into Init stage and sends a hello message of its own. This Hello packet list its own network info along with the known neighbor R1. This puts R1 into a 2-way communication status.
D. R1 sends another Hello message to R2 with the information as a known neighbor. This allows the R2 now with a 2-way communication status as well.E. We now have a 2-way neighboring routers
What is the difference between point-to-point and multi-access networks? How does OSPF
handle each case?

Point-to-Point: A network setup where each connection is between two specific nodes or devices. OSPF treats these links with straightforward neighbor relationships since there are only two routers on each segment. 

Multi-Access Networks: Networks where multiple routers can connect on the same segment, such as Ethernet. OSPF uses a Designated Router (DR) and a Backup Designated Router (BDR) on these types of networks to reduce the amount of OSPF traffic and the size of the topological database.
DR selected by the highest OSPF prio.
Be able to configure OSPF routing given a topology.
–
Example:
Consider a topology with three routers R1, R2, and R3. The routers
are connected R1 =⇒R2 =⇒R3 =⇒R1.
R1 has interface f0/0 connected to the
interface f0/0 of R2. R2 has interface f0/1 connecting to the interface f0/0 of R3.
Finally R3 has interface 1/0 connecting to the interface 1/0 of R3. Assuming all
routers are Cisco 7200 routers, configure them to use OSPF to dynamically route in
this topology (you will be given the Cisco router manual for such questions).
•
R1enable
configure terminal
hostname R1
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
no shutdown
exit
interface FastEthernet1/0
ip address 192.168.31.1 255.255.255.0
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.12.0 0.0.0.255 area 0
network 192.168.31.0 0.0.0.255 area 0
exit
end
write memory
R2enable
configure terminal
hostname R2
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
exit
interface FastEthernet0/1
ip address 192.168.23.1 255.255.255.0
no shutdown
exit
router ospf 1
router-id 2.2.2.2
network 192.168.12.0 0.0.0.255 area 0
network 192.168.23.0 0.0.0.255 area 0
exit
end
write memory
R3enable
configure terminal
hostname R3
interface FastEthernet0/0
ip address 192.168.23.2 255.255.255.0
no shutdown
exit
interface FastEthernet1/0
ip address 192.168.31.2 255.255.255.0
no shutdown
exit
router ospf 1
router-id 3.3.3.3
network 192.168.23.0 0.0.0.255 area 0
network 192.168.31.0 0.0.0.255 area 0
exit
end
write memory
How does OSPF authenticate packets to protect against packet spoofing and tempering?
Be able to enable it a Cisco router.
OSPF (Open Shortest Path First) can authenticate packets to protect against packet spoofing and tampering using several methods. The two main types of authentication are:
Plain Text Authentication: This is simple and provides minimal security. It sends the password in clear text.
Message Digest 5 (MD5) Authentication: This provides stronger security by using cryptographic hash functions to authenticate OSPF packets.
Plain textenable
configure terminal
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco123
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.12.0 0.0.0.255 area 0
area 0 authentication
exit
write memory
MD5enable
configure terminal
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 securepassword
no shutdown
exit
router ospf 1
router-id 1.1.1.1
network 192.168.12.0 0.0.0.255 area 0
area 0 authentication message-digest
exit
write memory
Network Defense Fundamentals
•
What is IP spoofing? Explain.
-The ip packet contains the source and destination Ip addresses.-Is it straightforward to modify the ip address of the packet.
-IP Spoofing: sender chagrin his source address to something other than his real address.
How can IP spoofing be used in security attacks?
-If the attacker sends an Ip packet with a spoofed IP, they will not receive a response form the destination: the machine with the IP matching the spoofed IP will receive the response.Ip spoofing operation - the sender spoofs the source IP address to point to another target. The receiver system replies to the spoofed IP.
•
What are the countermeasures to IP spoofing?
Ingress and Egress Filtering: Network operators should implement filtering rules on routers and firewalls to block packets with source IP addresses that should not originate from those networks. Ingress filtering blocks incoming packets with a source IP address that is not valid for the network, while egress filtering blocks outgoing packets with an invalid source IP address.
Reverse Path Forwarding (RPF): This technique ensures that the incoming packets are received on the same interface that the router would use to send traffic back to the source. If the path does not match, the packet is discarded, preventing spoofed packets from passing through.
IPsec (Internet Protocol Security): IPsec can be used to authenticate and encrypt IP packets, ensuring that they come from legitimate sources and have not been tampered with. This makes spoofing attacks significantly more difficult.
How can IP spoofing be used to perform DoS attacks?
IP spoofing is often used in Denial of Service (DoS) attacks to obscure the attacker's identity and to overwhelm the target with traffic from what appears to be multiple sources. One common type of DoS attack that utilizes IP spoofing is a Smurf Attack. In a Smurf Attack, the attacker sends ICMP (Internet Control Message Protocol) echo requests to broadcast addresses of networks, with the source IP address spoofed to that of the victim. The devices on the network respond to the echo requests, sending replies back to the victim's IP address. This amplifies the traffic directed at the victim, potentially overwhelming their network and causing a DoS condition.
•
Know how to use
hping3
for performing ping floods.
Using hping3 to perform ping floods involves sending a high volume of ICMP Echo Request packets to a target to overwhelm it.basic ping floodsudo hping3 -1 --flood [target_IP]
Using spoofed source ipsudo hping3 -1 --flood -a [spoofed_IP] [target_IP]
Controlling the Packet Sending Rateo hping3 -1 --flood -i u1000 [target_IP]Combining sudo hping3 -1 --flood -a 10.0.0.1 -i u1000 192.168.1.1
Firewalling
What is a firewall?
a filtering device on a network that enforces network security policy and protects the network against external attacks.
According to NIST SP 800-41, what are the characteristics of a firewall?
NIST standard defines the possible characteristics that a firewall can use to filter traffic.
-(IP Address and Protocol type) filtering based on source/destination IP address/ports, traffic direction and other transport layer characteristics.
-(Application Protocols)controls access based on application protocol data
-(User identity) controls access based on user identity
-(Network activity)
What are the limitations of the firewall?
Firewall capabilities: -Define a traffic chokepoint in the network and protects against IP spoofing and routing attacks
-Provide a location for monitoring the security events -Provide non-security functions: loggin internet usage, network address translation-Serve as platform for VPN/IPSec
Firewall limitations:-protect against attacks bypassing the firewall, connections from inside the organization to the outside that do not go through the firewall.-protect against internal threats such as disgruntled employees.
What is a packet filter firewall? Be able to write and interpret rules and to spot configu-
rationflaws.
Packet filtering firewall : applies a set of rules to each packet based on the packet headers.Filters based on: source/destination IP, source/destination port numbers, IP Protocol Field:defines the transport protocol, Interface : for firewalls with 3+ network interfaces, the interface from which the packet came from/going to
•
What is the difference between the default and allow and default deny policies? Which
one is the more secure one?
-when no rules apply to a packet, a default rule is applied: default deny : what is not explicitly permitted is denied default forward : what is not explicitly denied is allowed
default deny is more secure, you dont have to identify all of the cases that needs to be blocked, if one is missed, default deny will deny it.
Port 0-1023 reserved
1024-2**17 ephemeral
source port used by the system initialiatizng a connection is always chosen from the ephemeral ports
Be able to configure the packet filtering functions of iptables.
–
Example:
Write iptables rules to block all ICMP traffic to and from the system.
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
Example:
Write iptables rules to block all traffic on port 22
iptables -A INPUT -p tcp --sport 22 -j DROP
iptables -A OUTPUT -p tcp --dport 22 -j DROP
–
Example:
Write iptables rules to block traffic to host 192.168.2.2
iptables -A OUTPUT -p tcp --dest 192.168.2.2 -j DROP
iptables -A INPUT -p tcp --src 192.168.2.2 -j DROP
What are the limitations of the packet filter firewall?
-does not examine upper layer data : cannot prevent attacks that employ application specfic vulnerabilities or functions.cannot block application specific commands.
•
What is the stateful firewall and how does it compare to a packet filter?
A stateful firewall is a network security device that monitors and tracks the state of active connections, making decisions based on the context of the traffic. Unlike a simple packet filter, which examines individual packets in isolation based on predetermined rules, a stateful firewall keeps track of connections over time, distinguishing between legitimate packets that are part of an established session and potentially malicious ones. This contextual awareness allows it to block unauthorized connection attempts and prevent attacks such as spoofing and session hijacking. While packet filters, or stateless firewalls, operate faster and consume fewer resources by applying static rules to each packet independently, they lack the sophisticated traffic pattern handling and enhanced security provided by stateful firewalls.
•
What is the application-level firewall? What are its advantages and limitations?
An application-level firewall, also known as an application firewall or proxy firewall, operates at the application layer of the OSI model. It inspects and filters traffic based on the specific application protocols (e.g., HTTP, FTP, DNS) rather than just IP addresses and port numbers. limitations : increased communications overhead due to two separate TCP connections

 and not transparent to the client 

Application-level gateways are also known as application-level proxies.
-act as a relay for the application-level traffic.
-runs at the application layer, and examines application-layer data
Supported ProtocolsFTPSTMPHTTP
What is a circuit-level firewall? What are its advantages and limitations?
-Similar to the application-level gateway, but only tracks the state of the TCP/UDP sessions.
-Does not examine application data , simply relays TCP segments
-Allow/deny decisions based on whether a packet belongs to an established and trusted connection
Advantage of circuit-level firewall -do not filter individual packets(simplifies rules)

-fast and efficient 

Disadvantages:

-do not filter individual packets -require frequent updates: traffic is filtered with rules and policies that need regular updates for new threats and risks -the vendor needs to modify the TCP/IP implementation for thor applications to use the circuit-level proxy. 

What are the different approaches to basing the firewall?

-stand-alone machines -software modules in roosters, switches, or servers, or pre-configured security appliances. 

What are the host-based firewalls?
Host-based firewalls: a firewall software module used to secure a single host.
What are the network device firewalls?
Network device firewall = routers and switches often have firewall functions, like packet filtering and stateful inspection, to check and filter packets
What are the virtual firewalls?
-in a virtualized environment, servers, switches, and routers can be virtualized and share physical hardware. The hypervisor that manages the virtual machines can also have firewall capabilities.
What is the DMZ? How is it used for securing networks?
A Demilitarized Zone (DMZ) in network security is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, typically the internet. The primary purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN). By isolating these externally accessible services, the DMZ ensures that if an attacker gains access to the public-facing systems, they do not have direct access to the rest of the network.
How the DMZ Secures Networks
Isolation of Public Services: Services that need to be accessible from the outside, such as web servers, mail servers, FTP servers, and DNS servers, are placed in the DMZ. These services are isolated from the internal network, which helps protect the internal systems from attacks that may exploit vulnerabilities in the public-facing services.
Controlled Access: Firewalls are used to create boundaries between the internet, the DMZ, and the internal network. The firewall rules are configured to allow only specific types of traffic to and from the DMZ. For example, incoming web traffic might be allowed to reach a web server in the DMZ, but not to access internal systems directly.
Minimal Exposure: Only the necessary services are exposed to the internet. This minimizes the attack surface, reducing the number of entry points that an attacker can exploit. Internal systems and data remain protected behind the additional layer of the firewall.
Layered Security: The DMZ provides an additional layer of defense (defense-in-depth). Even if an attacker manages to compromise a server in the DMZ, the internal network is still protected by another firewall, making it harder for the attacker to penetrate further.
Monitoring and Logging: Activities within the DMZ can be closely monitored and logged. Any suspicious behavior can be detected early, and appropriate actions can be taken to mitigate potential threats before they impact the internal network.
Traffic Filtering: The firewalls between the internet and the DMZ, as well as between the DMZ and the internal network, can filter traffic based on IP addresses, ports, and protocols. This filtering ensures that only legitimate traffic is allowed and that malicious traffic is blocked.
-if attacker compromises a server on the network, they will be able to pivot to other systems on the network.
What are the advantages and disadvantages of having the two DMZ firewalls be from
different vendors?
Using different firewall manufacturers for the two firewalls maybe a good idea, avoids possibility of both having the same vulnerability but introduces more complexity and management overhead.
Be able to write pfSense firewall rules
Penetration Testing
•
What is penetration testing?
-legal and suthorzied attempt to locate and exploit vulnerable systems for the purpose of making those systems more secure.

pen testing, pt, hacking, ethical hacking, whitehate hacking, offensive security, red teaming 

What is the objective of the penetration testing?

Use tools and techniques used by the attackers in order to discover security vulnerabilities before the attackers do. 

What is the BAD pyramid?

The purpose of a red team is to find ways to improve the blue team, so purple teams should not be needed in an organization where the red/blue teams interaction is healthy and functioning properly. 

red attack
purple defender changes based off attack knowledge
blue defend
green builder changes based on defender knowledge
yellow build
orange builder changes based on attacker knowledge
Why are the penetration tests conducted?
-a company may want to have a stronger understanding of their security footprint.

-system policy shortcomings -network protocol weaknesses -network/software misconfigurations -software vulnerabilities 

What is the difference between penetration testing and vulnerability assessment?
-two terms often incorrectly ,interchangeably used in practice.
-vulnerability assessment : review of systems services to find potential vulnerabilities-penetration testing: finding an exploiting system vulnerabilities as proof-of-concept
What is the difference between black-box, white-box, and grey-box testing.
Black-Box Testing
Tester Knowledge: The tester has no knowledge of the internal structure, code, or implementation details of the system.
-lack knowledge of system
White-Box Testing
Tester Knowledge: The tester has full knowledge of the internal structure, code, and implementation details of the system.
-very thorough , but not completely realistic
Grey-Box Testing
Tester Knowledge: The tester has partial knowledge of the internal structure, code, or implementation details of the system.
What is the difference between ethical and unethical hackers?
-penetration testers, with proper authorization of the company, help improve the security of the company.
-unethical hackers, personal gain through extortion or other devious methods, profit, revenge, fame, etc. No authorization to conduct the attacks
•Ethical vs unethical hacking, penetration testers: obtain the authorization from the organization whose systems they plan to attack unethical hackers: attack without authorization.
Know the stages of penetration testing and the importance of following a structured ap-
proach.
–
Planning and Reconnaissance:
Planning: Define the scope and goals of the test, including the systems to be tested and the testing methods.
Reconnaissance: Gather information about the target, such as IP addresses, domain names, and network infrastructure, to understand how to approach the test.
Scanning:
Purpose: Identify potential entry points and vulnerabilities in the target system.
Methods: Use tools to scan for open ports, services running on those ports, and known vulnerabilities.
Gaining Access:
Purpose: Attempt to exploit identified vulnerabilities to gain unauthorized access to the system.
Techniques: Use techniques like password cracking, SQL injection, or exploiting software vulnerabilities.
Maintaining Access:
Planning and Reconnaissance:
Purpose: Ensure continued access to the compromised system to understand the potential impact of a prolonged attack.
Methods: Install backdoors or use other methods to maintain control over the system.
Analysis and Reporting:
Scanning
Purpose: Document the findings, including vulnerabilities discovered, methods used, and the level of access achieved.
Report: Provide a detailed report to the organization, highlighting the risks and recommending steps to mitigate the vulnerabilities.
Remediation:
Gaining Access
Purpose: Address and fix the identified vulnerabilities to improve the security of the system.
Action: Implement the recommended security measures from the report to protect against future attacks.
Retesting:
Maintaining Access
Purpose: Verify that the vulnerabilities have been successfully remediated.
Process: Conduct a follow-up test to ensure that the fixes are effective and no new issues have been introduced.
Importance of Following a Structured Approach
Consistency: A structured approach ensures that each stage is systematically followed, making the testing thorough and reliable.
Comprehensiveness: Following each stage helps identify and address all potential vulnerabilities, leaving no gaps in the security assessment.
Documentation: A structured method produces detailed documentation, which is crucial for understanding the security posture and for future reference.
Effectiveness: It ensures that the penetration test effectively mimics real-world attack scenarios, providing valuable insights into how an actual attacker might exploit vulnerabilities.
Risk Management: By identifying and addressing vulnerabilities, organizations can proactively manage security risks and protect their assets from potential attacks.
Example:
What is the difference between the passive and active reconnaissance?
•
Passive Reconnaissance
Definition: Gathering information about the target without directly interacting with the target system or network. The aim is to collect data without alerting the target.
Methods:
Publicly Available Information: Searching for information that is freely available on the internet, such as social media profiles, company websites, and news articles.
DNS Queries: Looking up domain registration information (WHOIS data), DNS records, and IP address ranges.
Network Traffic Analysis: Capturing and analyzing network traffic without sending packets to the target (e.g., using tools like Wireshark in a non-intrusive manner).
Search Engines: Using search engines to find information about the target, such as employee names, email addresses, and technical details.
Advantages:
Low Risk: Minimizes the chance of detection by the target because no direct interaction occurs.
Stealth: Suitable for the early stages of reconnaissance when the goal is to remain undetected.
Disadvantages:
Limited Information: May not provide as much detailed or specific information about vulnerabilities or configurations as active reconnaissance.
Active Reconnaissance
Definition: Actively engaging with the target system or network to gather information. This involves direct interaction, such as sending packets or probing the target.
Methods:
Network Scanning: Using tools like Nmap to scan for open ports, running services, and network topology.
Vulnerability Scanning: Running vulnerability scanners (e.g., Nessus, OpenVAS) to identify known weaknesses in the target systems.
Social Engineering: Directly interacting with individuals (e.g., phishing attacks) to gather information.
Probing and Enumerating: Sending specific queries or packets to the target to elicit responses that reveal information about the system (e.g., banner grabbing).
Advantages:
Detailed Information: Provides more detailed and specific information about the target's vulnerabilities, configurations, and active services.
Identification of Weaknesses: More effective in identifying exploitable vulnerabilities that can be used in subsequent attack phases.
Disadvantages:
Higher Risk: Increases the risk of detection by the target, which could alert them to the reconnaissance activity.
Potential Legal Issues: Unauthorized active reconnaissance can lead to legal repercussions if done without permission.
Summary
Passive Reconnaissance: Involves gathering information without direct interaction with the target, resulting in lower risk of detection but potentially less detailed information.
Active Reconnaissance: Involves direct interaction with the target to gather detailed information, but carries a higher risk of detection and potential legal consequences.
Both types of reconnaissance are essential in penetration testing to understand the target's environment and identify potential vulnerabilities while balancing the need for stealth and detailed information.
Be able to use the penetration testing tools discussed in class
nmap 192.168.1.1
nmap -sS -sV -O -A 192.168.1.1-sS: Perform a stealth SYN scan.
-sV: Detect service versions.
-O: Detect operating system.
-A: Perform aggressive scan (includes OS detection, version detection, script scanning, and traceroute).

In 2024, we will be voting for President, Senators, House of Representative members, Governors, Attorney Generals, and State leadership. It is vitally important that you VOTE to restore our country’s values by voting for conservative leadership. Your vote will literally determine your family’s future and well-being. We need to restore parents' rights in public schools, rebuild America’s energy independence, create economic growth by lowering taxes, and keep our tax dollars in the US. We need to secure our national borders, both north and south. We need to shrink government, balance the Federal Budget, stop printing (stealing) money, and lower the national debt. We can drastically lower crime by bringing back criminal accountability and removing all Attorney Generals installed by Soros. We need to stop the WEF from creating a One World government, Central Bank Digital Currencies and Social Credit Score Systems. We need to restore America’s family farms and help increase agriculture worldwide, not give in to eating insects. We need to be less involved in war, especially proxy wars. There is only one candidate that will change government. We may not like his personality but he will get the job done!