Kilala.nl - Personal website of Tess Sluijter

Unimportant background
Login
  RSS feed

About me

Blog archives

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

> Weblog

> Sysadmin articles

> Maths teaching

Backing up your Entra ID (Azure Active Directory)

2025-07-03 15:56:00

Backups are important! Remember kids, Jesus saves (and makes incremental backups)!

Jokes aside, having a solid backup of everything your company or life depends on is crucial. Don't rely on your computers always working the way they should and don't assume that your cloud provider makes backups of all your data. 

Q.E.D: Microsoft cloud services, like MS365, OneDrive or Azure may offer highly available storage. They may even offer some additional backup services at a fee. But if for some forsake reason things go really wrong, you'll lose it all. 

My companies both use Microsoft MS365 and Azure Active Directory (aka Entra ID). For now they rely upon those, it's their sole productivity base. 

Backing up MS365

I've got the MS365 backups covered (including e-mail, OneDrive, Teams etc) using Synology's wonderful Active Backup software. At the time I'd bought a Synology 19" rackable system, which includes the full license for Active Backup for MS365. How awesome is that?! Buy a NAS, get a full cloud backup included! 

Yes, I've tested the backups and restoration: the Active Backup tooling is wonderful!

Backing up Entra ID

What it doesn't have, is backups for my IAM and RBAC user account administration, that is Entra ID. Unfortunately there's no Synology built-in solution for it either. 

I did some investigation and there's quite a few companies offering SaaS solutions for Entra ID backups. Companies big and small, US and EU, affordable and expensive. Ironically, most of the smaller SaaS providers store your backups on Azure. :D 

Of the SaaS providers, Keepit.com felt the best to me as they backup to their privately owned and built cloud environment in the EU. Ruud, from LazyAdmin, trusts Afi.ai which also looks decent.

Maybe I'm paranoid or overly careful, but it just doesn't sit right with me. I'm giving some third party full read-write access to my company's IAM and RBAC systems. If they get hacked, I'm fully pwned. I don't like it. Sure, all the big SaaS providers say they're trusted and used by big international companies! But... no I'm not doing it.

Veeam for on-prem, local Entra ID backups

I chose to run my Entra ID backups on-prem, exactly like I'm running my MS365 backups on-prem. And there's one trusted company who offers that: Veeam.

Veeam Backup for Entra ID is offered both as SaaS solution, or as on-prem locally hosted software (deployment options here). Their messaging unfortunately is conflicting!

My experience: 

There is only one thing remaining to complete my 3-2-1 backup strategy: off-site, offline storage, for both MS365 and Entra ID. And luckily my new Veeam backup server will help with that as well! 

Costs involved

The SaaS services like Keepit.com, Afi.ai or Veeam's own service offer interesting pricing. While Keepit.com don't tell you their pricing, Afi want $36 per user per year and Veeam's ask is $14.10 pupy. Afi also includes MS365, which is of course a nice bargain.

If like me you want to run things on-prem, other costs need to be factored. 

For anything Entra ID with less than 100 users, Veeam itself is free thanks to their very generous Community Edition. Of course you do need to run it on something. I've opted for Windows Server 2025 in a 4-core VM, which will set me back €233 per year (excl VAT).

For hardware I'm using a Dell Optiplex, which I got for around €590 (excl VAT). The Optiplex will run a few other VMs and containers as well, which means I get to spread the costs a little bit. 

Would Veeam or Afi SaaS be cheaper in the long run? Yes. $420 per three years SaaS, vs around €900 ($1060) per three years in on-prem hard- and software.

So why do it?

For the learning experience and for my paranoia. :)


kilala.nl tags: , ,

View or add comments (curr. 0)

Beta-testing the CertNexus CSD-110 exam

2025-06-26 18:26:00

CertNexus are a vendor for professional certifications in the fields of IT, development and information security. I hold their CSC certifications (my CFR lapsed) and teach their CSC (cyber secure coder) class. 

CSC-210 is a few years old, so they're now replacing it with the new CSD-110: cyber secure software developer. A few weeks ago they published the curriculum and exam blue print and this week they opened the beta-testing for the CSD-110 exam.

I have not had a chance to see their new training materials, which I assume they are still updating and making changes to. But today I sat the CSD-110 exam, to help them improve and test the new test. 

In short: it was good! 

I feel that these questions were well written! Some were a bit long to read, but overall the exam questions are not dry factual, but ask questions that require understanding and insight. The won't ask "what is the definition of phase X of the ATT&CK framework?", but more along the lines of "you observe X, Y and Z in your network and your team has determined that A and B. At which point in their kill chain are the attackers right now?". 

With CompTIA beta exams I frequently leave large amounts of comments and feedback, pointing at bad wording or answers and questions that need improvement. With this exam I left very little feedback, meaning I really didn't see anything that wasn't good. 

There was a decent diversity to the 80 questions I saw, although I would have liked to see more code and technical questions. It's called cyber secure software developer after all. But I assume that CertNexus has a large pool of questions and I simply got one particular mix of questions. 

Having taken both CSC-210 and CSD-110 I will continue to stand behind this exam and training materials. I have now taught this class six times and every time the students come away feeling they learned a lot of useful new background. And as I said: I think this is honestly a good exam. 


kilala.nl tags: , ,

View or add comments (curr. 0)

The riso print I made

2025-06-26 18:24:00

a neon printed risography

I completely forgot to actually show the risography print I made a few weeks ago. So here we are!

My colleague Tox discovered that the "fluo orange" ink, is actually fluorescent under UV light! How cool is that?!


kilala.nl tags: ,

View or add comments (curr. 0)

Learning risography

2025-06-14 16:05:00

I've been into drawing and zine making for quite a while now. When I did a small talk on zine making last year, I dove into reproduction techniques: laser printer, xerox, mimeograph, stenciling and risography. I decided then that I really want to try working with a Riso printer at least once. 

Today was the day! :) 

Under the guidance of Justyna and Angi, the eight of us got an explanation on how the Riso printers work, we did a quick group project to trial the machine and then we were invited to work on our own projects. I'd come prepared and brought the cover of "The tale of the dubious crypto", which I'd tried to make ready for risography.

For today's workshop we got to choose between neon pink + red, or neon orange +teal. I chose the latter, doubting myself all the way. The choice didn't come out great, mostly because of the project I'd chosen and on how I'd prepared it. As Marli put it: "Is it okay to say that I hate it?". :D She's not wrong: the end result looks kinda garish. :D

But I did learn quite a few things!

Justyna and Angi told me how they use "clipping mask layers" in Illustrator, Photoshop and Procreat to easily try different colors and effects. It's demonstrated in the Risopop starter workshop booklet. Inkscape does things differently, there's no nice and easy trick with layers for this. 

Thanks to Sweater Cat Designsam learning how to do it with Inkscape though. And that's where today's big lesson comes in: my grayscale files were created by making my objects black and then messing with their opacity. Shouldn'ta done that... I should've worked with grayscale, white to black. 

On to my next project, which hopefully will turn out better! If I want the gradients to turn out nicer than they did and if I want a decently easy workflow, I'm afraid I'll have to start learning a new tool instead of Inkscape. 


kilala.nl tags: ,

View or add comments (curr. 1)

Finally getting my toes wet on grokking LLM

2025-06-03 13:11:00

I've been a ludite on the subject of applied AI, such as LLM (large language models). Like cryptocoin and blockchain stuff, I've been avoiding the subject as I've been sceptical as to the actual value of the applied products. 

Now I'm finally coming around and I've decided I need to learn how do these things work? Not as in "how can I use them?", but "what makes them tick?". 

There's a few maths and programming YouTubers whose work I really appreciate, insofar that they've clarified for me how LLM work internally.

If you have no more than one hour, watch Grant Sanderson's talk where he visualizes the internal workings of LLM in general.

Then if you have days and days at your disposal:

I've learned a lot so far! I'm happily reassured that I haven't been lieing to students about the capabilities and impossibilities involving general purpose LLM and IT work.

3Blue1Brown's series on neural networks, starting with video 1 here, helped me really understand the underlying functions and concepts that show how "AI" currently works. The video series goes over the classical "recognition of handwritten numbers" example and explains in a series of videos what the neurons in a net do and how. And more importantly it clarifies why, to us humans and even the AI's creators, it's completely invisible WHY or HOW an AI comes to certain decissions. It's not transparent. 

What got my rabbit holing started? A recent Computerphile video called "The forbidden AI technique". Chana Messinger goes over research by OpenAI that talks about their new LLM "deciding", or "obfuscating", or "lieing" and "getting penalized or rewarded" which had me completely confused.

Up until this week I saw LLM as purely statistical engines, looking for "the next most logical word to say". Which they indeed kind of are. But the anthropomorphization of the LLM is what got me so confused! What did they mean by reward or punishment? In retrospect, literally a trainer telling the LLM "this result was good, this result was bad". And what constitutes "lieing" or "obfuscation"? The LLM adjusting its weights, bias and parameters during training, so certain chains of words would no longer be given as output.

It's like Hagrid's "Shouldn't've said that, I should not have said that..." realization.

Now, to learn a lot more!


kilala.nl tags: , ,

View or add comments (curr. 0)

OSCP+, the morning after defeat

2025-04-26 10:07:00

Like I said this morning at four: I'm gutted. I was expecting to fail the OSCP+ exam, but not this badly. 

As outlined in the exam guide I was given six targets: three in an Active Directory environment, three individual hosts.

In the end I only got my initial footholds on two of the individual hosts.

One of them I only managed to get because I found exactly one blog post from three years ago which, in very great detail, explained how the authors had researched a very obscure piece of software and wrote a perfectly functional exploit for it. I literally only had a port number to go on when I researched this issue, because the software in question did not give any response at all unless you gave it the exact right input. 

I failed at privilege escalation on these hosts for a multitude of reasons. On one of the hosts I was either overlooking very clear hints, or I was performing an exploit incorrectly. And in a few cases I just couldn't get the C exploit code compiled well and quickly enough. 

I'm livid that I didn't manage to get a foothold on that third host. I should not have that much difficulty getting around input filters on a bloody webapp. 

Despite my best efforts I was not able to escalate privileges on even the very first Windows AD host. If they were going for the vulnerability which I think they were, I have to say the required skill level is absolutely crazy. I can't say which CVE I thought it was, but it's literally from 2025 and only a month old with no published proof-of-concept / exploit. 

That is why I think I might have been barking up the wrong tree after all. But if absolutely wonderful tools like itm4n's PrivEscCheck.ps1 can't find me a way in, I certainly don't have any hopes myself. 

The skills I learned when I passed CRTP in 2019 have gotten long in the tooth and the tools I made back then no longer work.

Take-aways which I need to deal with:

  1. I need my virtualization farm up and running during my next exams, because I need to be able to quickly and efficiently spin up VMs with OS versions and build software.
  2. Speaking of: I need to setup build hosts for both Linux and Windows, on multiple architectures and ideally multiple OS versions. 
  3. Automation. I wrote enumeration scripts which worked pretty well, but I need to expend them: if X is found, try A B and C
  4. Enumeration once inside is my big weak point. I used many privesc tools which scan for and suggest possible exploits, to no avail whatsoever. And the things I did manually in the past, no longer work well enough. 

Now... I need to wind down, get a lot more sleep and get back to the real world. Chill out and process all of this. Because right now I feel like an absolute fraud: "how can I teach people about pentesting and software security, if I can't pass this exam?", is what my imposter syndrome will say. 

As Marli rightly points out: it's not at all strange that I didn't pass, and I did not expect to pass. She points out that I haven't "done pentesting" in a serious sense for years, and she's right. I'm on DevSecOps, and infra stuff. Basically everything I'd achieved in 2016-2019 is gone, except for the bit of API hacking I did last year. So yeah, I'm out of the loop, not exercised at all. 

I discussed my situation with my colleague Leendert, an absolute huge support. We agree that, if I want to have a chance at passing this thing like I did seven years ago, I'll need about a year of solid training and studying. Multiple days a week, like I did in January and February. But as I already concluded: I'm just so damn tired. Tired from juggling multiple jobs and maybe from doing a type of work I wouldn't want to continue much longer. As Leendert (and Marli, and myself) concluded: first order of business might be to actually thoroughly rest and get back out the funk I've been in for weeks or months.

I'll do some more "navel gazing" and introspection, about where to take my career in the next year(s). In the coming months, I'll keep plugging at the CPTS training and certification exam.

 

EDIT:

I should speak a bit about the practical side of things, since a lot has changed there as well. 

As before, OffSec's documentation and communication about the exam is great. The provide ample documentation about what to expect and how the process will work, both in workflow and technically. 

The proctoring approach works well and feels trustworthy, it's all browser-based. Sharing my webcam was dead simple, although sharing both of my screens/desktops was finnicky and I couldn't get it to work reliably the first time. I had to restart the sharing a few times to get both screens properly shared. 

After the first 15-20 minutes of onboarding, the proctoring was all smooth sailing. I reported via chat when I went on breaks, and the proctors were there if I needed them. 

EDIT 2:

After talking it over with a few friends, I decided I was crazy to refuse to send in a report! I mean, I paid for the exam so I might as well get feedback from OffSec!

This afternoon I spent four hours, typing up a 35 page report (excluding appendices). Can you imagine how large the report would have been if I'd had been more successful!


kilala.nl tags: ,

View or add comments (curr. 0)

OSCP+ is kicking my hiney

2025-04-26 01:36:00

Almost exactly seven years ago I passed the OSCP examination exam. I'm currently sitting the new OSCP+. 

Make no mistake, OSCP+ is not your (grand)mother's OSCP

Two big take-aways:

I am seventeen hours in and I have two flags. Two, out of ten. 

This certainly triggers a new dose of Imposter Syndrome!

EDIT:

Eighteen hours in, I give up. Still two flags out of ten and I'm dead tired. 

I was expecting not to pass this exam, I knew I wouldn't. I just didn't expect it to go this badly. 


kilala.nl tags: ,

View or add comments (curr. 0)

Good catch, Unifi. Settle down.

2025-04-23 18:00:00

Unifi pop ups on my phone

I was doing a few Burp Suite labs on Hack The Box earlier today. I noticed that one particular test with Intruder kept getting stuck after the second attempt. Only after restarting the lab VM on a new IP did my test start again, only to get blocked again. 

It was only later, when I looked at my phone, that I put one and one together. 

The lab VMs are not behind Hack the Box's VPN, they're public on the Internet. Thus my tests weren't going through the lab VPN, but they were going straight through my router. 

The router with an IDS+IPS.

Unifi was blocking my "hacking". :D 


kilala.nl tags: ,

View or add comments (curr. 0)

Older blog posts