Synology Logging: Easily View Synology NAS Logs

Synology Logging: Easily View Synology NAS Logs @vexpert #vmwarecommunities #homelab #SynologyNASLogging, #SynologyLogCenterGuide, #AccessingSystemLogs, #NASTroubleshooting, #SecureLogAccess, #SynologySupportServices, #LogGenerationTechniques

Logging is a critical aspect of monitoring and troubleshooting any device or software application. If you are running a Synology NAS in your environment, logging helps monitor activities, troubleshoot, and ensure optimal operation. Synology Logging is found throughout a Synology NAS system. Administrators can review and access logs on a Synology system for various purposes, including monitoring,…

View On WordPress

thought too much about the q + mallory + bond costume choices and what it says about everyone's character and their relationship to the world around them, so I started thinking about the IT/opsec/cyber security side of the universe based on what we've seen and now I'm worried about like. the banks.

🚫 please be advised. 🚫

any ageless and or otherwise minor blog will be blocked if i see it interacting with a post that contains nsfw content. i am taking this seriously and i am checking my notifications frequently. this is not a hostile act or one out of malice. this is to ensure to myself that my new content is not being curated into the audiences of those that don’t need to see it. this measure may be a bit rigid, but i would like to reassure you that this is not out of hostile intent. this is a security measure. please put your ages in your bios! this helps me gauge my audience better as i create content that aligns more so with mature audiences. thank you for understanding. ❤️

I hope Instagram combusts into garbage ashes

If anyone has taken their eyes off what's happening to federal workers in the US right now, here's some highlights that we're hearing from our comrades across the government who have not yet been fired:

In one building (hosting multiple agencies), the locks on the bathroom were changed so employees no longer have any access to a bathroom during the workday. People are peeing in trash cans.

Elsewhere, multiple agencies have reported that hand soap is no longer being supplied in the bathrooms.

Toilet paper supplies have not been adjusted to meet the needs of a vastly increased number of in-office employees.

Employee-owned coffee and coffee makers have been stolen or thrown away without notice (it was already illegal for taxpayer dollars to be spent on supplying federal employees with amenities like coffee, so many offices have coffee supplied by pooled employee funds).

Meanwhile, many offices don't even have potable drinking water (recurrent legionella outbreaks), so employees have to bring their own water from home.

Despite an explosion in the number of workers in offices, cleaning budgets have been slashed and many offices are not being cleaned regularly enough to remain sanitary. Pests like roaches and rats are a problem.

The firings continue, legal and illegal. Entire programs are being cut. Managers have no idea when they might lose staff. Employees are getting fired at 6pm on a weekend or finding out when they're unable to log into their computer or when they receive a shipping label in the mail to return their equipment.

Through all of this, the DOGE employees in federal workplaces are enjoying incredible and expensive luxury: AI-powered sleep pods, entire dormitories so they can live in federal buildings, nurseries for their children on site, free food and beverages, laundry services, and who knows what else. They have special security to restrict access to their areas of the buildings, including armed guards.

And I'm not just saying this to lament how bad it is for federal workers. I'm saying this because, as workers are reporting this to one another, the response is, inevitably: "This is illegal." "Yes, but who would I report it to? OPM? They're a DOGE puppet. OSHA? They've cut OSHA. The Inspectors General? Cut. The NLRB? Cut. My union? No longer recognized."

There is no one left to enforce these laws, so taking away access to basic sanitation is now effectively legal. They are doing this to federal workers, who historically have been some of the best-protected workers in the country. They are doing this specifically because it demonstrates to the public sector that it is now legal to do these things to their own workers.

Did You Know? Your WhatsApp Could Be Accessed from Multiple Devices

“Worried about unauthorized access to your WhatsApp? Learn how to check for suspicious activity, log out from all devices, and secure your account with our 2023 guide. Protect your privacy with expert tips on WhatsApp security, two-step verification, and more. Stay safe online!” With over 2 billion users worldwide, WhatsApp is one of the most popular messaging platforms. However, its widespread…

[WARNING] Unauthorized access detected.

Initiating unauthorized user logging process...

[System] Unauthorized user logging process initiated.

Retrieving coordinates...

- Location traced to [Outer] Rim, [Eastern] Quadrant of The [Greater] Multiverse.

- Temporal anchor: 932 Aosídhen Cycle, Lunar Phases VII:I:IX:V, 435:27.

- converting TA to [Inner] Rim, [Southern] Quadrant of The [Inner] Multiverse.

- Date: 2025 AD, Lunar Phase VI, 3/16

- Logging Date/Time: March 16/12:14:12

Retrieving file data using voice recognition...

- Subject identified as "Iko."

- Cross-referencing file...

- Subject claims affiliation with entity designated TLO

- Subject species confirmed: Kith

- Subject claims adoptive relation to TLO

- playing subject audio file CheckedStatement12.MP4 “One of her [The Lost One] past lives was my [Adopted] mother..”

- Verification pending...

Compiling file-based identification...

Creating user ID based on file...

User ID generated:`MK-042X-KTH-TM.AD-719`

Generating coordinate string...

Tracked location: `C.I_Dim.ALR-MV204608`

[System Log] Unauthorized access logged successfully.

[System Status] Awaiting further analysis...

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials. This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS). Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did. Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email. If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials. Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account. The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

How to avoid scams like this

Don’t follow links in unsolicited emails or on unexpected websites.

Carefully look at the email headers when you receive an unexpected mail.

Verify the legitimacy of such emails through another, independent method.

Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

Technical details Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb. DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication. So, what the cybercriminals did was: Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.” Register an OAuth app and set the app name to match the phishing link Grant the OAuth app access to their Google account which triggers a legitimate security warning from [email protected] This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name. Forward the message untouched which keeps the DKIM signature valid. Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com. Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

its so fucked up that an email service can just like go offline and barr me access from like. everything i need to have access to with it

Fuck, I am bad at cross-posting. Shit, I am super bad at using my preferred platform.

Convenience

Keyless Entry: smart lock eliminates the need for physical keys. You can unlock door with a smartphone app, a key fob, or even through biometric methods like fingerprints.

Remote Access: many smart locks allow you to unlock your door remotely, which is useful if you need to grant access to someone while you’re away.

Enhanced Security

Access Logs: Smart locks can provide detailed logs of who entered and when, adding an extra layer of monitoring and control.

Temporary access codes: you can create temporary or one-time access codes for guest’s service providers or other, ensuring that only authorized individuals can enter.

Integration with smart home systems

Automation: smart locks can integrate with home automation systems, allowing for seamless control along with other smart devices

Voice control: many smart locks are compatible with voice assistant like amazon alexa, google assistant enabling hands-free operation.

Improved Accessibility

For Those with Mobility issues: smart locks can be easier to operate for people with disabilities or mobility issues, as they often offer touchless or simplified access method.

No more Lockouts: with keyless entry the chances of locking out are significantly reduced, which is especially helpful in busy or stressful situations.

Durability and reliability:

Weather Resistant: many smart locks are designed or withstands various weather condition, making them suitable for external doors,

Battery Backup: most smart locks are battery operated with a backup power source, ensuring they remain functional even during power outages.

Ease of Management

Centralized control: if you have multiple smart devices, managing them through a single app can streamlined operations and make home management more efficient.

Auto Lock Feature: Some smart locks come with auto-lock functions that ensure the door locks automatically after a set period, enhancing security.

Customizable Access Options

Personalization: Users can set different levels of access for family members, friends or service providers and easily modify or revoke permission as needed.

Is it worth the investment?

Initial Cost: smart locks typically have a higher upfront cost compared to traditional locks; however, this cost may be offset by the convenience and security features they provide.

Ongoing costs: some smart locks may require subscription fees for advanced features or cloud services, so it’s important to factor in these potential ongoing expenses.

Technology Dependence: Relying on technology means you’ll need to stay updated on software updates and ensure your devices are compatible with your smart lock.

Overall if you value convenience enhanced security and integration with smart home systems a smart lock can be a worthwhile investment. It’s important to assess your specific needs and budget to determine if the benefits align with your lifestyle and preferences.

To know more about the electronics locks: https://www.europalocks.com/electronic-locks

#smartlock #smartdoorlocks #electronicdoorlocks #smartlocksforhome #smarthomedoorlock #elock #bestdigitallock #digitallockformaindoor #digitaldoorlocksforhome #keylesssmartlock #smartfingerprintdoorlock #smarthouselock #electronicdoorlockwithremotecontrol #smartlockformaindoor #digitalhomelocks #digitalsmartdoorlock #electronicdoorlockwithremote #digitaldoorlockprice #smartmaindoorlock #bestdigitallockformaindoor #maindoorsmartlock #electronicdoorlockprice #smartdoorlockprice #electroniclocksformaindoor #smartdigitaldoorlocks #smartlockondoor #wifismartlock

I don’t see that anyone answered your question, so I��m going to. A physical mfa token is usually a small device with a screen like a calculator screen that has a button on it and pushing the button generates a code that you put in wherever is prompting for that code. You can typically only have the physical token tied to one log in, so when I worked as a bank employee I had 3 tokens I kept in my locked desk drawer for 3 different services I needed to log into, including the program we used to send wire transfers.

Physical tokens are both more secure because they can only access one thing, but if you don’t have that token you will not be getting into whatever it is attached to and can be expensive to replace if you lose it entirely. It is not something I would recommend to anyone who doesn’t require a background check to do their job as they can be far less convenient because they are so secure.

I would instead recommend a productivity app to you if you are getting distracted by other apps when you try to access your Authenticator app.

I'm not the most security savvy but two-factor authentication makes me deeply suspicious. Is it actually more secure or is it just annoying? Especially the ones that send a code to your phone that pops up in your notifications.

It is genuinely, massively, TREMENDOUSLY more secure to use 2FA/MFA than to not use it.

One of our clients is currently under attack by a group that appears to be using credential stuffing; they are making educated guesses about the accounts they're trying to lot into based on common factors showing up in the credentials in years of pastes and breaches and leaks. Like, let's say it's a professional arborist's guild and their domain is arborist.tree and they've had three hundred members who have had their credentials compromised in the last ten years and the people looking at all the passwords associated with arborist.tree noticed that the words "arboreal" and "conifer" and "leaf" and "branch" show up over and over and over again in the passwords for the members of the professional arborist's guild.

So they can make an educated guess for how to log in to accounts belonging to the tree-loving tree lover's club, combine that with the list of legitimate emails, and go to town.

And they are in fact going to town. We're getting between 1000 and 4000 login attempts per hour. It's been happening for a couple weeks.

And every single one of those attempts is failing - in spite of some pretty poor password practices that believe me, I have been doing some talking about - as a result of having MFA enforced for the entire group. They all use an app that is synced to their individual accounts with a mobile device, except that sometimes you have trouble getting a code when you're up in a tree so some of them have physical MFA tokens.

People try to sign into my tumblr sometimes. To those people I say: lol, good luck, I couldn't guess my own password with a gun to my head. But if I *did* have some password that was, like "tiny-bastard-is#1" they would also need access to my email address because I've got MFA set up on tumblr. And to THAT I say: lol, good luck, it's complex passwords and MFA all the way down.

Of the types of MFA that most people will run across, the most secure to least secure hierarchy goes physical token>app based one-time-passwords>tie between email and SMS. Email and SMS are less preferred because email is relatively easy to capture and open in transit and cellphone SIMs can be cloned to capture your text messages. But if you are using email or SMS for your authentication you are still miles and miles and miles ahead of people who are not using any kind of authentication.

MFA is, in fact, so effective that I only advise people to turn it on if they are 100% sure that they will be able to access the account if they lose access to the device that had the authenticator on it. You usually can do this by saving a collection of recovery codes someplace safe (I recommend doing this in the secure notes section of your password manager on the entry for the site in question - if this is not a feature that your password manager has, I recommend that you get a better password manager, and the password manager I recommend is bitwarden).

A couple weeks ago I needed to get into a work account that I had created in 2019. In 2022, my boss had completely taken me off of managing that service and had his own account, so I deleted it from my authenticator. Then in 2024 my boss sold the business but didn't provide MFA for a ton of the accounts we've got. I was able to get back into my account because five years earlier I had taken a photo of the ten security codes from the company and saved them in a folder on my desktop called "work recovery codes." If you are going to use MFA, it is VITALLY IMPORTANT that you save recovery codes for the accounts you're authenticating someplace that you'll be able to find them, because MFA is so secure that the biggest problem with it is locking people out of their accounts.

In any kind of business context, I think MFA should be mandatory. No question.

For personal accounts, I think you should be pointed and cautious where you apply it, and always leave yourself another way in. There are SO MANY stories about people having their phones wiped or stolen or destroyed and losing MFA with the device because they didn't have a backup of the app or hadn't properly transferred it to a new device.

But it's also important to note that MFA is not a "fix all security forever" thing - I've talked about session hijacking here and the way you most often see MFA defeated is by tricking someone into logging in to a portal that gives them access to your cookies. This is usually done by phishing and sending someone a link to a fake portal.

That is YET ANOTHER reason that you should be using a good password manager that allows you to set the base domain for the password you're using so that you can be sure you're not logging in to a faked portal. If your password manager doesn't have that feature (setting the domain where you can log in to the base domain) then I recommend that you get a better password manager (get bitwarden.)

In 2020 my terrible boss wanted me to write him a book about tech that he could have run off at a vanity press and could give to prospect customers as a business card. That was a terrible idea, but I worked on the book anyway and started writing it as a book about security for nontechnical people. I started out with a very simple statement:

If every one of our customers did what we recommend in the first four chapters of this book (make good backups, use a password manager and complex unique passwords, enable MFA, and learn how to avoid phishing), we would go out of business, because supporting problems that come from those four things is about 90-95% of our work.

So yes, absolutely, please use MFA. BUT! Save your recovery codes.

TL;DR: Steam just made library sharing so much fucking easier and so much fucking better. Instead of login-trading, it's just a simple goddamn invite.

Read this. Really. It's a good read. Because it shows that, full-stop, Valve isn't just doubling down on their stance to make sure that people can and should be able to share their copies of digital goods as easily as they can physical ones, but they're making it better and easier than ever.

But you know how Steam allowed you to, with either friends or family, link accounts with another person to be able to establish an ability to share game libraries with one another? The general gist of Steam Family Sharing was that, with a limit of five people plus you (six in total) on a limit of ten computers total could share account access to willingly mix your libraries. You could play theirs. They could play yours.

This was a huge boon. It was meant to emulate sharing a physical copy of a game. A way to allow children to play games their parents or siblings had bought without having to fork over double the cash to buy it a second game. But it had some major limitations and drawbacks, and was archaic to use.

If a person did not share the same computer, you had to manually log into that computer to give it and the accounts on it access. This wouldn't be a problem if both accounts were used on the same computer, but many households (and astronomically more family and friend groups) had multiple computers, all used by different people.

If that computer, at any point, was hard reset to any point before the sharing occurred, you lost access. And had to do the whole process again. This was also an issue with computer transfers. The whole kit and kaboodle needed to be redone on upgrades. On top of that, the old computer is now just dead weight that you may not realize you have to manually revoke access to.

Putting your account information on another person's computer opens up security issues. They could, intentionally or accidentally, land themselves on your account if the login information was stored. Which could easily lead to purchases or bans you did not want to happen.

If anyone was, at any point, playing any game on their own library, you had no access to their games. Even if it was a totally different game, you had to wait your turn as if waiting for their computer to be freed up to sit at. (Admittedly this is kind of like the "mom said it's my turn on the xbox" meme, but hey, kinda archaic.)

You could not choose whose library you accessed a game from. Not at all. It always prioritized the first library it gained access from, DLC access and multiplayer be damned. If another friend you were accepting games from had more DLC? Too bad.

And yet here we are. Steam Families Beta fixes EVERYTHING about the above issues. By just going through Settings > Interface > client Beta Participation and clicking onto Steam Families Beta? You get:

No more login sharing. No more computer links. You can now choose which person's library you borrowed from. And you can play any other game from someone's library, even while they're in-game. It just needs to be a different game than what they're playing.

Pick five people. Invite them to your family. And now everyone has access to everyone's library. My goddamn library went from 150-ish to almost a goddamn thousand in ten minutes of setup.

Account sharing and password sharing are dirty words that "lose" billions of dollars. Netflix, Hulu, Amazon, Max. They aren't game storefronts, but they still allow you to access massive libraries and scream like you murdered their firstborns for daring to share your password with your mother after you moved out.

Microsoft tried pushing to demonize and undercut used games sales and borrowed copies of physical games. Remember the first attempt to reveal the Xbox One? People forget, but these vultures tried to make an always online console that checked to see if you were the account that owned the game, even if you had a physical disc, and prevent access to the disc's contents if you weren't the original downloader.

Valve walked the fuck up. Valve tapped the mic. And Valve dropped the fucking thing right onto the ground with one feature's revamp.

About the only issues I can see with this are twofold:

If someone sharing your library gets banned from a game's servers... so do you. No one else in the family does, but the both of you do. This is... rather unpleasant, because banhammers can be dropped quite frequently by mistake. I'd urge Valve to rethink this one, but I see the logic: don't cheat and effectively bite the hand feeding you. Still making me side-eye that, though.

If you leave a family you've joined? You have to wait a YEAR to join a new one. It's to prevent people form jumping ship to another group and screwing over who's in the former one in the process, but a YEAR? OUCH.

Problems aside, though... it's probably the biggest fucking power move I have ever seen a media distributor make in the current economic climate. It's the kind of thing that would let so many new games be available in a way that's easier than ever. Just a few clicks to send or accept an invite, and bam. Permanent access to dozens or even hundreds of new games with so much more freedom than earlier drafts of the system.

It's the kind of thing that slaps you in the face with positivity after so many Ls from the games and media industries. And I'm all the fuck for a W like this.

Setting Up Nginx Proxy Manager on Docker with Easy LetsEncrypt SSL

Setting Up Nginx Proxy Manager on Docker with Easy LetsEncrypt SSL #homelab #selfhosted #NginxProxyManagerGuide #EasySSLCertificateManagement #UserFriendlyProxyHostSetup #AdvancedNginxConfiguration #PortForwarding #CustomDomainForwarding #FreeSSL

There are many reverse proxy solutions that enable configuring SSL certificates, both in the home lab and production environments. Most have heard about Traefik reverse proxy that allows you to pull LetsEncrypt certificates for your domain name automatically. However, there is another solution that provides a really great GUI dashboard for managing your reverse proxy configuration and LetsEncrypt…

View On WordPress

Buy Old Gmail Accounts