databases: is it safe to include my public IP in a server's white list, even if I am behind CGNAT?

I have some VPS and databases in GCP, I can access them by placing my IP on the white list, but only a few months ago my ISP implemented its CGNAT and I was affected. As far as I know CGNAT, allow multiple subscribers to have only one public IP.

Is it still safe to whitelist my IP or do I need another means or an additional layer of protection?

xss – Letting the attacker control the type of content, why is this safe?

I found a strange behavior of Shopify, where an attacker can change the extension in a URL and the backend will send a type of HTTP content that matches that extension, for each of these extensions:

atom: application/atom+xml
bmp: image/bmp
css: text/css
csv: text/csv
gif: image/gif
jpg: image/jpeg
json: application/json
js: text/javascript
mp3: audio/mpeg
mpeg: video/mpeg
mpg: video/mpeg
pdf: application/pdf
png: image/png
rss: application/rss+xml
svg: image/svg+xml
tiff: image/tiff
tif: image/tiff
txt: text/plain
xml: application/xml
yml: application/x-yaml
zip: application/zip

For example, returns & # 39; Content-Type: application / x-yaml & # 39 ;, even a 404. https: // gavinwahl-test. search.svg returns the HTML of the actual search page but with image / svg + html content-type.

The search page also allows you to insert the text (escaped in HTML) of your choice: % 00% 00% 00% 00% 00% 00, for example, returns application / zip and is actually a valid zip file (despite having HTML around).

It seems that there should be a vulnerability here. The search query is escaped HTML, but we can tell the browser to interpret some other type of content that may have different escape rules. This has been done with EML files (Microsoft Outlook Express emails) previously. I know there are many vulnerabilities in which content of one type is interpreted as a different type of content, but Shopify states that this practice is safe and not exploitable.

Is there really a good argument that this is safe? Is there any way to get a reflected payload of xss based on the content type confusion?

(I have reported this as a problem to Shopify Security and they said it was safe, so I will publish it publicly)

wallet security: I'm new to Bitcoin, how do I keep my bitcoins safe?

Use a desktop or mobile wallet (Electrum or Mycelium) to spend bitcoins (be sure to write down your recovery seed and store it as a paper wallet). To receive and store them, use offline paper wallets. As soon as a paper wallet exceeds a certain amount (50mXBC for example), save it and start a new one. If you are spending and your online wallet runs out, open a paper wallet to complete the transaction, the remaining coins will remain in the online wallet.
NOTE: with "online wallet" I mean wallets like Electrum and Mycelium, do not web wallets like Coinbase or the wallet.
Someone posted instructions for paper wallets in bitcointalk:

Do your own research before risking your coins by following what someone told you.

Do not use web wallets.

EDIT: Brain wallets (memorize a passphrase that is encoded to produce keys and addresses) are very controversial in the bitcoin community. The correct way to use them is to choose the passphrase evenly and randomly of a large set (at least 2 ^ 128).
Security enhancements include:
Add salt (something unique but trivial to remember, such as your full name, phone number or email address) to the passphrase to prevent hackers from attacking everyone at once.
The use of WarpWallet key stretching is an algorithm that derives keys from a passphrase using a difficult algorithm that requires a lot of memory, this makes them a lot harder to hack.

To generate multiple wallets from a passphrase, you can attach an index (add a number to the passphrase).

The main advantage of brain wallets is that there is no physical wallet to steal or confiscate, and the plausible denial of having bitcoin.
The disadvantages include the difficulty of remembering the passphrase (if you forget it, the coins are gone), the possibility of theft (there are hackers who constantly monitor the addresses created from weak passphrases and steal coins immediately) and the fact that in the unfortunate case of your death, your family could not recover your coins.
If you decide to use them, they can be used instead of the paper wallets in the first paragraph.

air travel: is it safe to fly over Iran?

I am a pretty nervous traveler, and recent events with Iran accidentally shooting down a passenger flight do not help. I am flying from Istanbul to Bangkok on Saturday with Turkish Airlines, and looking at the flight route, much of the flight will go over Iran. Many airlines (mostly American and European) currently avoid Iranian airspace, so why do many Arab airlines, such as Turkish Airlines, still fly over Iran?

How to ensure that Windows 10 is safe from the critical security hole reported by the NSA on 01/14/2020?

In all the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.

But I could not find clear instructions on how to ensure that Windows Update worked correctly.

When I click on the Start button and then type "winver" and click on "Execute command", I see that I have Windows 10 version 1803 (OS compilation 17134.191)

Windows> Settings> "Update and security"> "See what's new in the latest update", returns me to en Recent updates, which don't seem to mention security at all.

The Windows Update feature itself seems scaly, confusing and unreliable.

I am the most expert in technology in my large extended family, and I generally try to help others (especially older generations) keep their systems running well, but right now I am struggling to find a set of steps that can guide them . to confirm that their systems are no longer vulnerable.

How do you keep yourself, servers and your clients safe and secure online?

How do you keep yourself, servers and your clients safe and secure online?

I will start by saying that you use CloudLinux / CageFS for your servers that are used to host web hosting clients / resellers. I will let other members add other ways to help keep everyone and everything as safe as possible.


Is this jwt access and the structure / logic of the update tokens safe?

  1. The user logs in
    1. The user obtains a refresh_token assigned and stored in the database (7d long-term)
    2. The client receives an access token (of short duration, 2 h) and stores it as a cookie. The client also receives the encrypted AES user ID and stores
      like a cookie
    3. As long as the access token has not expired, the user continues to use it to navigate the website
    4. The token expires
    5. The expired access token is sent to an update endpoint, so the user ID (encrypted with Aes) is currently stored in cookies.
    6. The server decrypts the user ID and retrieves the update token that corresponds to the user by selecting the database update token using the user ID.
    7. Now we have our update code and our access code on the server, so we update the symbol and send the new access code. We also generate a new update code and overwrite our old update code in the database with the new one. (I guess somehow I need to blacklist my old update code right now)