ShellMonkey

ShellMonkey, 10 days ago

I wonder what the costs would be to just literally launch it into the sun. Let it all get recompiled in the big fusion furnace and out of our hands. Of course if the rocket failed during launch you have a real big problem, but that part aside.

ShellMonkey, 10 days ago

Could work more along the lines of a cruise ship though. Not as an efficient way to get somewhere but just to go float around doing vacation stuff.

ShellMonkey, 10 days ago

How big a bottle and how efficient the vape? When I did regularly if I recall a 30 ml bottle would last about a week. That switching from a pack/day smoking for comparison of volume.

ShellMonkey, 10 days ago

Plus the ever popular tactic of using the fact people don’t understand marginal rates against them. It’s not a case of if you get over $1M you lose 95% of it, you lose 95% of amounts in EXCESS of $1M…

ShellMonkey, 13 days ago

Pretty sure the separation of church and state has something to say about this.

ShellMonkey, 15 days ago

3 things I’m still looking to get in one distro and Windows will be gone. Not looking to have my desk/lap turn into another ad platform like phones did.

Easy drive mapping for remote shares, most have this but some are a bit clunky.

Solid games support, mostly a WINE thing. One called Bazzite looks promising with a pile of pre-configured profiles.

Easy and reliable connection to a DC so the same creds can be used across multiple machines. This is probably the hardest part in Nix at this point.

Otherwise pretty well every app I use is web based and hosted on some local server, or has a Nix native variant.

ShellMonkey, 15 days ago

Probably worth a shot. I’ve gotten it working on a version of Ubuntu in the past, but it was far from the simplicity of select domain, give join creds, and reboot that it is with Windows yet.

ShellMonkey, 14 days ago (edited 14 days ago)

I have not, the last time I made a real effort at moving to Nix for games was quite a while ago. The big factor is if I can get GOG working since that’s the preferred platform here.

ShellMonkey, 14 days ago

I know it exists, have gotten it working with one of those AD compatible samba based DCs before, but not without some messing about. I’d really like to see it as simple as it is in Windows before saying it’s a drop in replacement.

Tried the other day with Mint and ran into something where one of the searches promoted manually editing the hosts file to point to the DC and Kerberos address. That kind of thing shouldn’t be required and is the kind of buggery I’d like to see sorted out.

ShellMonkey, 16 days ago

I’ve been a user of GOG for a while principally because of the no-drm ability to download a copy of what you bought. When the library starts getting past a certain size though you start to wonder about those things like what if the producer has a falling out and wants to yank it from the platform, does it vanish from my library then too? Are there contracts that say ‘forever’ when they offer it? Would love to find some ‘download all’ option to take a full copy offline of the bought items at once but it’d probably overrun the monthly ISP limits even if they had one.

Seen too many things on Netflix or Spotify that I liked vanish because ‘fuck off, we can’ and although I never anticipated it being ‘bought’ in those cases it does give a lot of justification to find alternate means to reestablish that access.

ShellMonkey, 17 days ago

Nuking anything is never the right decision unless you’re heating up some leftovers. There is no such thing as a justified mass destruction weapon.

ShellMonkey, 20 days ago (edited 16 days ago)

Claim: if you use HTTPS you are safe!

Overall a solid writeup, but this part could use some clarification. Assuming the VPN client doesn’t leak DNS this is only a concern after exploitation by DHCP option.

Another thing that might be noted, since this is a DHCP based issue the window for compromise is largely going to be at the time of connection unless the server has a particularly short lease time. If there are multiple DHCP servers on the same network answering requests it’s bound to raise some alarms if someone is watching the network so it makes 3rd person exploitation a very noisy method since you would have a race for who offered the lease first.

Edit: Really this attack isn’t just a problem for VPNs but could apply to any network connectivity. A rouge DHCP sever can cause all sorts of havoc. There used to be an single button APK called ‘firesheep’ that would do similar to this by presenting itself as the gateway, although that wouldn’t have allowed for the specific split routing config option push.

ShellMonkey, 20 days ago

https://lemmy.socdojo.com/pictrs/image/7e31cdc7-384b-4791-b637-ddbd9be198fc.png

Discover/offer/request/acknowledge since it didn’t make a pretty picture for me.

Basically it’s just a case of who answers first. A DHCP discover is a broadcast message since the client doesn’t know where or even if there is a server on the net. Whoever gets back to the client first with an offer though will end up with the request/ack following up and get to provide whatever options they push along with the offer.

ShellMonkey, 20 days ago

It says right in there that they can’t see what you are sending or receiving, but seeing the SNI provides content on what you’re doing. Not seeing where it’s false at all.

Using that SNI header profile though if one was inclined and the site doesn’t enforce HSTS it would be simple enough to proxy traffic through their gateway, or to creating a phishing duplication of the site with a DNS redirect.

ShellMonkey, 20 days ago

WiFi pineapples are fun that way. I’ve taken one out on a drive going to our cabin in scanning mode and picked up 100+ different SSIDs along the way. It can also respond as a wildcard to any request that comes by or just be obnoxious and advertise them all at one.

Never setting an ‘auto connect’ for unsecured WiFi is a must in that case. Secured not so much an issue unless the interceptor has the key for the network at least.

ShellMonkey, 20 days ago

Most mobile devices these days default to using a random spoofed MAC, so I have a hard time seeing how that’s effective unless it’s done as a whitelist only.

ShellMonkey, 21 days ago

Edwards described critics of his underage marriage stance as “an army of control freaks that want to entice a pregnant woman into an abortion rather than allow a marriage”

The guy goes on about personal freedom but then puts it as an either/or that someone gets pregnant and they have one of two choices…

ShellMonkey, 21 days ago

Chances are unless you’re actively trying to avoid it the toothpaste you use has it already. I’m not aware of any particular benefits or detriments to having it in the water supply versus the more direct application route.

ShellMonkey, 19 days ago

Fair point, useful for the city but not missing out on anything by having a private well then though.

ShellMonkey, 20 days ago

It’s pretty much the same thing that ‘tile’ does, it’s scary that they do this as an opt-out though. Having that as a system level function effectively means they can enable or disable it at will without having to have a separate app.

One more bug to sort out with notifications and I’m full time onto GraphineOS.

ShellMonkey, 20 days ago

As useful as tile is ideal to me. Don’t allow for the global tracking but let’s me make my keys or wallet make a noise when I misplaced them.

ShellMonkey, 22 days ago

github.com/smdgames/reactle

Easy enough to change that

ShellMonkey, 22 days ago

Such a charming and rational fellow that one

ShellMonkey, 23 days ago (edited 19 days ago)

Short version of this attack, it involves split routing for the tunnels. A lot of clients will have a default route-all to send traffic through the VPN. There is however a limitation to this because the tunnel itself needs a route from the local nic to connect to the VPN endpoint and establish the tunnel, otherwise you end up with a chicken and egg where you can’t establish the VPN. By taking advantage of the DHCP option to set preferred routes (really anything more specific than 0.0.0.0/0) it can tell the host system to send the specified traffic through the local gateway rather than the tunnel’s virtual adapter.

One relatively simple fix if you happen to have a fancy router/firewall on the edge of the network that handles the VPN would be to use policy based routing rather than relying on the underlying network configuration. Static route tables would be possible too, but in theory that could be overridden by just sending a more specific route again than what was set statically.

ShellMonkey, 10 days ago

From the client to the VPN host it’s feasible to do protocol/port identification and prevent it that way. Some are significantly more difficult to do that for though, particularly when it uses something like HTTPS to blend in with the general flow. It’s possible to set up a national level proxy gateway, but that would require a user’s system to trust some alternate CA which would be really hard to enforce.

Short version, there’s always a way around, but they can make it real tough for the average user.