From a224a40492b5cccfc2d30c05949003aaf5af5a93 Mon Sep 17 00:00:00 2001
From: PlexSheep <software@cscherr.de>
Date: Wed, 10 Apr 2024 21:25:04 +0200
Subject: [PATCH] about and security

---
 _includes/head.html  |  3 ++
 _tabs/about.md       | 35 ++++++++++++++++++--
 _tabs/imprint.md     |  1 +
 _tabs/security.md    | 76 ++++++++++++++++++++++++++++++++++++++++++++
 assets/css/extra.css | 10 ++++++
 5 files changed, 123 insertions(+), 2 deletions(-)
 create mode 100644 assets/css/extra.css

diff --git a/_includes/head.html b/_includes/head.html
index c9187a3..5e1de77 100644
--- a/_includes/head.html
+++ b/_includes/head.html
@@ -101,6 +101,9 @@
     <link rel="stylesheet" href="{{ site.data.origin[type].magnific-popup.css | relative_url }}">
   {% endif %}
 
+  <!-- my extra css -->
+  <link rel="stylesheet" href="/assets/css/extra.css">
+
   <!-- JavaScript -->
 
   {% unless site.theme_mode %}
diff --git a/_tabs/about.md b/_tabs/about.md
index d68791b..7a49b3d 100644
--- a/_tabs/about.md
+++ b/_tabs/about.md
@@ -4,5 +4,36 @@ icon: fas fa-info-circle
 order: 100
 ---
 
-> Add Markdown syntax content to file `_tabs/about.md`{: .filepath } and it will show up on this page.
-{: .prompt-tip }
+This is the personal website and blog if *Christoph J. Scherr*.
+
+## Professionally
+
+I am currently a student of Cybersecurity at [DHBW Mannheim](https://www.mannheim.dhbw.de/) and work at
+[NewTec](https://www.newtec.de). Computer Technology, especially with a focus on
+security is my passion.
+
+## Technology
+
+I like managing and administering servers and services. This website is hosted
+on a [VPS](https://en.wikipedia.org/wiki/Virtual_private_server) hosted in
+Germany, which I pay [Netcup](https://www.netcup.de) for. Hosting your own services
+and managing your own servers is fun and I regularly learn new computer related
+things from it.
+
+I like Open Source Software, working on my own projects and using mostly OSS on
+my devices where possible. All my servers run [Debian](https://www.debian.org),
+and I use GNU/Linux on my PCs too.
+
+I mainly program in [Rust](https://rustlang.org) at the time of writing this,
+but I know many programming languages.
+
+## Other Interests
+
+I've been learning Japanese for over a year by now. I find myself often
+stumbling over Japanese media, and I've built a liking to the language by now.
+My Japanese is still pretty bad, and I still struggle to understand basic sentences,
+but I'm constantly learning.
+
+<pre class="text-center fs-4">「今年には春が好きですけど、それまで好きじゃなかったです。」</pre>
+
+When I feel creative, I sometimes make music. Some of that can be found [here](https://www.youtube.com/@plexsheep1296).
diff --git a/_tabs/imprint.md b/_tabs/imprint.md
index ed3cd9a..5ee0d46 100644
--- a/_tabs/imprint.md
+++ b/_tabs/imprint.md
@@ -1,4 +1,5 @@
 ---
 icon: fas fa-legal
 order: 200
+title: Imprint & Legal
 ---
diff --git a/_tabs/security.md b/_tabs/security.md
index aabaa27..324b8e6 100644
--- a/_tabs/security.md
+++ b/_tabs/security.md
@@ -2,3 +2,79 @@
 icon: fas fa-lock
 order: 6
 ---
+
+# Security Guidelines, Scope for cscherr.de and associated hosts
+
+- **[A] Scope**
+    - You may search for security issues ONLY on public facing services,
+      such as <https://git.cscherr.de>, <https://www.cscherr.de>, the
+      Minecraft server and others. You may not do so on sites
+      not visible without authentication. For example, <https://git.cscherr.de> is okay
+      (except private repositories), but <https://transmission.cscherr.de> is not
+      (I seed only Linux images). The ONLY machine you may target is my public
+      facing VPS (IP: `194.13.82.193` (`cscherr.de`)) and those machines
+      virtualised on it.
+    - You may NOT infiltrate any non-public machines (virtual or not).
+    - You may NOT exfiltrate data without explicit permission.
+    - You may NOT endanger the confidentiality, Availability and Integrity of
+      any data, service, or machine, unless with explicit permission.
+    - Any findings must be reported to the server owner (Christoph J. Scherr),
+      you can typically contact me on admin@cscherr.de.
+    - You may NOT cause any effect that would be considered "harmful" to the
+      server owner, the users, any service or machine, or any third party. If
+      you would like clarification on if your case would be considered harmful,
+      seek contact with me (admin@cscherr.de).
+
+- **[B] Bounty**
+    - If you actually manage to find something good, I would like to reward you with a
+      minor sum of money (~10EUR). I'm only an individual, and still a student,
+      so I cannot offer much, but you would have earned it. Preferably, you have
+      an account in Europe, so I can just use SEPA to transfer money. I don't have
+      PayPal or cryptocurrencies.
+    - You also have my honest thanks! If you want, you can get an entry in the
+      hall of fame below.
+    - I've been getting a lot of mail recently reporting very minor things, that
+      are often not security issues, like "exposed information on
+      https://static.cscherr.de". I encourage you all to report things you might
+      find suspicious, but you will not gain a bounty or entry in the HOF for
+      something that I deem not a thread or unknown risk. Furthermore, I reserve the right to
+      disagree with your reports and not put you in the HOF or pay a bounty as I
+      see fit. Bounties and the HOF are based on goodwill.
+    - If you want your entry removed from the HOF, please mail me (admin@cscherr.de),
+      we can work something out.
+
+- **[C] Known Risks**
+    - The following is a list of possible risks that are currently accepted:
+    - I don't have CAA Records (just using caddy+letsencrypt)
+    - no MTA-STS for cscherr.de
+    - Including of my sites as I-frames to trick users into clicking on something
+    - No rate limiting on my web server
+    - Possible brute forcing of login forms (I use strong random passwords and MFA)
+    - No BIMI Record for cscherr.de
+
+- Christoph J. Scherr, 2024
+
+--------------------------------------------------------------------------------
+
+<h2 class="display-1 text-center text-huge">Hall of Fame</h2>
+
+--------------------------------------------------------------------------------
+
+Parth Narula, who found a DOS vulnerability in my WordPress site, resulting in
+near 100% server load by repeatedly sending requests to an endpoint which
+allowed users to load multiple JS and CSS files at once, and also tested the
+other subdomains.
+
+Mitigation: Removal of the WordPress site, as it wasn't actively used anyway.
+
+--------------------------------------------------------------------------------
+
+Mesum Raza, who found an open redirect in authentik (used on <auth.cscherr.de>)
+prior to version 2024.2.2, and reported it to the authentik maintainers after
+correspondence. The open redirect has been removed in subsequent versions
+of authentik.
+
+See: <https://github.com/goauthentik/authentik/pull/8796>
+
+--------------------------------------------------------------------------------
+
diff --git a/assets/css/extra.css b/assets/css/extra.css
new file mode 100644
index 0000000..3136f24
--- /dev/null
+++ b/assets/css/extra.css
@@ -0,0 +1,10 @@
+.ascii-art {
+  font-family: monospace;
+  white-space: pre;
+  line-height: 1rem;
+}
+
+.text-huge {
+  font-size: 9rem;
+  white-space: nowrap;
+}