ShellMonkey

ShellMonkey , 5 days ago

3 things I'm still looking to get in one distro and Windows will be gone. Not looking to have my desk/lap turn into another ad platform like phones did.

Easy drive mapping for remote shares, most have this but some are a bit clunky.

Solid games support, mostly a WINE thing. One called Bazzite looks promising with a pile of pre-configured profiles.

Easy and reliable connection to a DC so the same creds can be used across multiple machines. This is probably the hardest part in Nix at this point.

Otherwise pretty well every app I use is web based and hosted on some local server, or has a Nix native variant.

ShellMonkey , 4 days ago

Probably worth a shot. I've gotten it working on a version of Ubuntu in the past, but it was far from the simplicity of select domain, give join creds, and reboot that it is with Windows yet.

ShellMonkey , 4 days ago (edited 4 days ago)

I have not, the last time I made a real effort at moving to Nix for games was quite a while ago. The big factor is if I can get GOG working since that's the preferred platform here.

ShellMonkey , 4 days ago

I know it exists, have gotten it working with one of those AD compatible samba based DCs before, but not without some messing about. I'd really like to see it as simple as it is in Windows before saying it's a drop in replacement.

Tried the other day with Mint and ran into something where one of the searches promoted manually editing the hosts file to point to the DC and Kerberos address. That kind of thing shouldn't be required and is the kind of buggery I'd like to see sorted out.

ShellMonkey , 10 days ago (edited 10 days ago)

Claim: if you use HTTPS you are safe!

Overall a solid writeup, but this part could use some clarification. Assuming the VPN client doesn't leak DNS this is only a concern after exploitation by DHCP option.

Another thing that might be noted, since this is a DHCP based issue the window for compromise is largely going to be at the time of connection unless the server has a particularly short lease time. If there are multiple DHCP servers on the same network answering requests it's bound to raise some alarms if someone is watching the network so it makes 3rd person exploitation a very noisy method since you would have a race for who offered the lease first.

Edit: Really this attack isn't just a problem for VPNs but could apply to any network connectivity. A rouge DHCP sever can cause all sorts of havoc. There used to be an single button APK called 'firesheep' that would do similar to this by presenting itself as the gateway, although that wouldn't have allowed for the specific split routing config option push.

ShellMonkey , 10 days ago

https://lemmy.socdojo.com/pictrs/image/7e31cdc7-384b-4791-b637-ddbd9be198fc.png

Discover/offer/request/acknowledge since it didn't make a pretty picture for me.

Basically it's just a case of who answers first. A DHCP discover is a broadcast message since the client doesn't know where or even if there is a server on the net. Whoever gets back to the client first with an offer though will end up with the request/ack following up and get to provide whatever options they push along with the offer.

ShellMonkey , 10 days ago

It says right in there that they can't see what you are sending or receiving, but seeing the SNI provides content on what you're doing. Not seeing where it's false at all.

Using that SNI header profile though if one was inclined and the site doesn't enforce HSTS it would be simple enough to proxy traffic through their gateway, or to creating a phishing duplication of the site with a DNS redirect.

ShellMonkey , 9 days ago

WiFi pineapples are fun that way. I've taken one out on a drive going to our cabin in scanning mode and picked up 100+ different SSIDs along the way. It can also respond as a wildcard to any request that comes by or just be obnoxious and advertise them all at one.

Never setting an 'auto connect' for unsecured WiFi is a must in that case. Secured not so much an issue unless the interceptor has the key for the network at least.

ShellMonkey , 9 days ago

Most mobile devices these days default to using a random spoofed MAC, so I have a hard time seeing how that's effective unless it's done as a whitelist only.

ShellMonkey , 9 days ago

It's pretty much the same thing that 'tile' does, it's scary that they do this as an opt-out though. Having that as a system level function effectively means they can enable or disable it at will without having to have a separate app.

One more bug to sort out with notifications and I'm full time onto GraphineOS.

ShellMonkey , 9 days ago

As useful as tile is ideal to me. Don't allow for the global tracking but let's me make my keys or wallet make a noise when I misplaced them.

ShellMonkey , 13 days ago

Short version of this attack, it involves split routing for the tunnels. A lot of clients will have a default route-all to send traffic through the VPN. There is however a limitation to this because the tunnel itself needs a route from the local nic to connect to the VPN endpoint and establish the tunnel, otherwise you end up with a chicken and egg where you can't establish the VPN. By taking advantage of the DHCP option to set preferred routes (really anything more specific than 0.0.0.0/0) it can tell the host system to send the specified traffic through the local gateway rather than the tunnel's virtual adapter.

One relatively simple fix if you happen to have a fancy router/firewall on the edge of the network that handles the VPN would be to use policy based routing rather than relying on the underlying network configuration. Static route tables would be possible too, but in theory that could be overridden by just sending a more specific route again than what was set statically.

ShellMonkey , 14 days ago

So now you can have the devs that shun the cheat of having AI write their code instead copy-pasting from stack overflow's AI written code.

ShellMonkey , 14 days ago

Hardly the only, but not always the case either. I'd put some of it down to rose-colored nostalgia, some to the given fact that so much today is buying a base framework game and then selling 276 'addons' to make it complete, and part to that back when systems didn't have the power they do now developers couldn't rely so much on all the flashy imagery and effects so they put more effort into the story and unique gameplay. A lot of smaller studio games pull that latter part off today still, but they're sometimes harder to find.

ShellMonkey , 14 days ago

I guess it depends on what you're looking for and what you consider flashy. I tend to do most of mine from GOG these days just out of a preference for avoiding DRM on principal. Found a few interesting ones just of the 'cheap enough that it doesn't matter if it's not great' types.

A major marker of quality for me tends to be if something just feels polished, like the menus make sense rather than looking like someone just stuck things where they could without though, but it could still run on a potato without making things melt.

ShellMonkey , 14 days ago

There are a lot of variables, but media types typically have expected limits established.

https://www.arcserve.com/blog/data-storage-lifespans-how-long-will-media-really-last

Humidity and UV are murder on a lot of things. Pressed optical media will generally las a lot longer than CD-R if for nothing else but the top layer over the reflective foil that's missing from some cheap recordable disks. The error resiliency is a factor to thin of too. If you miss a few bits in a picture or audio recording it won't do much, but in a executable program it could prevent it working at all.

ShellMonkey , 15 days ago

https://ipleak.net/

A favored test by the AirVPN people. Gives a decent picture of your print. Thing is, they can pick all the scree resolutions and browser types they like, but it only does good with a location

ShellMonkey , 13 days ago

Shortly after the net neutrality rules where first revoked mine sent a message asking me to opt out of gathering data for sale, so defiantly not always the case. Not trusting some checkbox to prevent them from doing so in the future got everything that can be put through tunnels since.

ShellMonkey , 17 days ago

A lot of times the concern is less the location and more deviations from normal behavior. Geo location is something of a mixed bag. The local IP via an external lookup isn't particularly reliable if someone happens to use VPNs at home, or locating it several miles away when ISPs cover whole regions. Combine it with a system similar to how Google maps known WiFi hotspots as an alternate location marker and you can get a lot more reliable.

If someone logs in outside their normal hours and shows up from halfway across the globe an hour later you can bet it's going to raise some alarms, or at least it should.

Some things it becomes a case of contractual needs. A lot of government work comes with a requirement it be performed by someone within a certain country.

ShellMonkey , 24 days ago

That'll only ever pass of the big cloud vendors allow it. No way that Azure/AWS/Google wouldn't object if a sizable portion of their user base get upset and threaten to leave. How much of that user base argues is unknown though.

ShellMonkey , 23 days ago

Generally yes, it would matter a lot how it was structured. Today you couldn't call up AWS and ask for the details on a service owner out of privacy reasons and there are ways to register things by proxy. If they started stripping those kind of protections away though there's bound to be some pushback.

ShellMonkey , 25 days ago (edited 25 days ago)

It's the only version I've come across as a pre-installed option for bought systems, particularly from Dell. A big thing going for it is if you search 'how to do X in Linux' you can pretty safely bet some or even most top hits are Ubuntu related.

ShellMonkey , 26 days ago

Mealie previously, now Homechart. Mealie is probably better suited to the specific purpose, but Homechart includes a mess of other functions.

ShellMonkey , 28 days ago (edited 28 days ago)

And yet Europe gets held up as this bastion of liberty and personal rights...

Things like the GDPR are lovely and all, but then ask for the ability to have real-time access to private communications, pick a lane folks the rest of the world needs an example to live up to

ShellMonkey , 27 days ago

The problem with that line of thought though, while people generally expect/wish for private communication, few actually care to understand the mechanics of it. Nor should they have to, that's what security engineers are for, to do all that archaic setup so people can just use it without having to check certificates and protocols and all that stuff.

I'd say that if we could just have a simple to use, no-click pgp style system things would be good and we no longer have to keep nagging people to set things up the 'right' way, but so much of the hassle comes in by people using 100 different communication platforms.

Of course though: https://xkcd.com/927/

ShellMonkey , 1 month ago

I can do the same in something like adguard or pihole...

ShellMonkey , 29 days ago

How much simpler can I make this...

You have a primary 'master' server in the pool.

Replica/cache servers periodically ask the master for any updates.

Master gives a new update, which is a sinkhole for a marked malicious domain.

Replica/cache server now resolves malicious domain to the sinkhole address.

This is not a 'feature' you have to implement, it's a basic function of running a redundant DNS system.

ShellMonkey , 1 month ago (edited 29 days ago)

This has been a theory for a while, just not sure it was a specifically ruled precedent. The notion being similar to how they can force fingerprinting but not testimony. Access to a physical lock or location you can't simply say 'stay out' but they can't force you to divulge a password since it's a thought in your mind.

Also, relying on biometrics is terrible, quick but immutable keys are a big no-no.

ShellMonkey , 1 month ago

If you don't have concerns about it being private I've used one of these for similar purposes in the past. Just a little portable DLNA server. The original project stopped but there are forks or the last version of the original out there.

https://en.m.wikipedia.org/wiki/PirateBox

ShellMonkey , 1 month ago (edited 1 month ago)

Same bot from yesterday with a new account. I guess they love George Floyd and cartoon butts.

ShellMonkey , 1 month ago

There have been a few instances for the same bot, guessing they have open reg

ShellMonkey , 2 months ago

Meme doesn't make sense in this context, but do love me some GOG.

ShellMonkey , 2 months ago

I'm pretty sure it would still work, but images for media content would have broken links. I'm not sure the refresh policy as far as remote media goes but local stuff could be re-uploaded and it should be able to retain things like the user names and comment data even without pictures.

ShellMonkey , 2 months ago

https://www.tubearchivist.com/

I've liked this one. Let's you subscribe to channels/playlists and download en-masse if your inclined

ShellMonkey , 2 months ago

Self hosted version of https://homechart.app/

Not FOSS (source available I believe though) but it has the option of a lifetime license rather than a subscription. Dev is readily available and helpful too.

ShellMonkey , 2 months ago

One neat aspect is under the admin options you can hide whole sections of the menu to not show what you don't need. Makes things a lot less cluttered that way.

ShellMonkey , 2 months ago (edited 2 months ago)

As a general rule if it's a pubic-ish service like Lemmy (more a friends and family than public) or something where I want ready access like auto uploads it has public access, otherwise it's private. I make it a point to have everything facing outside to have 2FA enabled and/or limit the available sources to known IP ranges.

ShellMonkey , 2 months ago

Limiting the attack surface is a big part, geo restrictions, reputation lists, brute force mitigation, it all plays a role. Running a vulnerability scanner against your stuff is important to catch things before others do and regular patching is important too. It's can be a rewarding challenge.

ShellMonkey , 2 months ago

https://www.tenable.com/products/nessus/nessus-essentials

https://www.rapid7.com/blog/post/2012/09/19/using-nexpose-at-home-scanning-reports/

https://openvas.org/

Both Nessus and Nexpose are typically enterprise class systems but they have community licensing available for home labs. Nessus can even be set up in a docker container. OpenVAS is more or less free but can be upgraded with pro-feeds, but last I tried it it was a bit more rough to use.

Do be aware though that throwing a full force scan will use a lot of CPU and can break things depending on the settings, so it's good to practice their settings on some non-critical systems first to get a feel for them.

ShellMonkey , 2 months ago

Content aside, it's odd to see a title with 'Exclusive' on a platform freely federating things between a bunch of independent nodes.

ShellMonkey , 2 months ago

I guessed as much. Just contemplating how that would even work if the web at large was more like the fedi.

ShellMonkey , 2 months ago

Could always go to excessive measures, your own cloud hosted VPN node to hop to an external provider or similar. Unless you're a major target nobody wants to deal with multiple providers and jurisdictions.

ShellMonkey , 3 months ago

If I'm picturing the gear right, putting the TP into AP mode would just make it a client of the network that would then serve as your WiFi and the new box could be set up as the router/gateway for both the TP and the other clients formerly plugged into the TP.

Usually, changing the mode from router to AP would keep the LAN side active as an unmanaged switch, and may even add the wan port to it. So if all above holds true go modem, Celeron (opnsense), TP (LAN to LAN) and then plug the remaining Ethernet either into the TP or the other LAN ports on the Celeron box, both should be the same local network.

ShellMonkey , 3 months ago

It works so long as you're not trying to create separate networks. When/if you decide to start with some vlan madness and such the AP likely won't work for that, unless it's fancy and can do multiple SSID on separate clans, but most WiFi/router combos don't go that far.

Basically the new firewall/router box becomes the boss of everything done ng DHCP, likely DNS relaying, and all the monitoring. Simple and efficient, just wouldn't go hosting public services with the setup since there's no 'DMZ' to keep it separate from you personal devices.

ShellMonkey , 3 months ago

I thought they switched CEOs to focus on privacy a week or so ago?

ShellMonkey , 3 months ago

A big part of it comes to the dying throws of a scarcity model that has been in progress for the past several decades. Data, or media, can be duplicated with trivial cost where a bit of bread or plank of wood cannot. Scarcity adds a premium onto the value of something irreplaceable.

Mass produced media holds less value individually to the average user since they have no stake on the creation, but family photos do since they have personal ties to them. Both are at the end just bits on a disk though.

What gives gives something functionally infinate in supply then is that the person holding it sees it as important, or in the case of purchases goods that they've exchanged something of known value for it. I don't have a clear answer on how to give permanence to something that can stop existing with a few keystrokes, but a part of that is in not ceding control to another entity over access to it.

ShellMonkey , 3 months ago

The other options of making the containers dependent on mounts or similar are all really better, but a simple enough one is to use SMB/CIFS rather than NFS. It's a lot more transactional in design so the drive vanishing for a bit will just come back when the drive is available. It's also a fair bit heavier on the overhead.

Using NFSv4 seems to work in similar fashion without the overhead though I haven't dug into the exact back and forth of the system to know how it differs from the v3 to accomplish that.

ShellMonkey , 3 months ago

No, currently univention corporate server (UCS), but I'll give those a look since I've been eyeing a replacement for a while due to some long standing vulns that I'm keen to be rid of.