If there were some sort of standalone user mode NAT for Windows, that
worked like the one built into VirtualBox, I'd love to use that.
I don't know about "user mode", but Internet Connection Sharing could perhaps be pressed into service.
Great idea, but unfortunately WSL2 already uses "Internet Connection Sharing"
which creates a "Microsoft Hosted Virtual Adapter" and the damn VPN blocks
that as well.
Oh, I see. I don't suppose they make a Linux client that you can run in WSL2 (which, spoiler alert, might depend on systemd these days)
They do. I haven't tried it, but in the past I used the open source OpenConnect
client instead of AnyConnect, which worked really really well until they implemented
2FA in the most boneheaded mode possible; it insists on chaining out to the
browser instead of offering other options like entering a code or answering
a text message. I haven't tried the Cisco branded client inside of Linux
but everyone says it's awful.
The other problem is that a client running in WSL2 wouldn't be able to get to the VPN server because the AnyConnect client in the parent operating system has already blocked all network traffic other than itself. And even if I could get the client to connect ... well, for one thing I'm already on the corporate network so I wouldn't need it, and also, the server rejects connections from the inside. And they probably won't let the same user connect twice anyway.
Keep the ideas coming if you have them, but so far I've run through all of the ones suggested. The VPN server can be configured to allow clients to access their local networks, but they have that option shut off. I think this is going to have to be an effort to convince Corporate IT to flip that setting for us. Fortunately, it's no longer just "that one weirdo who wants to run Linux" but we have an entire DevOps team who are now struggling with it, so maybe there's some more clout available now.
The other problem is that a client running in WSL2 wouldn't be able to get to the VPN server because the AnyConnect client in the parent operating system has already blocked all network traffic other than itself. And even if I could get the client to connect ... well, for one thing I'm already on the corporate network so I wouldn't need it, and also, the server rejects connections from the inside. And they probably won't let the same user connect twice anyway.
Keep the ideas coming if you have them, but so far I've run through all of the ones suggested. The VPN server can be configured to allow clients to access their local networks, but they have that option shut off. I think this is going to have to be an effort to convince Corporate IT to flip that setting for us. Fortunately, it's no longer just "that one weirdo who wants to run Linux" but we have an entire DevOps team who are now struggling with it, so maybe there's some more clout available now.
Same here, its damned annoying. ( and one reason i went to VMs for work. Fine, let them restrict it, i still can do what i want on the host )
Sat Sep 10 2022 11:08:21 AM EDT from IGnatius T FoobarThe VPN server can be configured to allow clients to access their local networks, but they have that option shut off.
I mean it shouldn't be that one weirdo in this day and age, unless your whole org is committing to deploying everying on fucking Azure.
People need a development platform that matches prod, at least more or less. Maybe that's macOS, maybe that's Linux, but it almost certainly isn't Windows.
For VPN, my org uses a product called pritunl, which is free/open (in the base edition, at least) and implements OTP sanely enough. DNS on Linux currently requires a manual shell script run after to connect to get it to do what you want, but apart from that the support for Linux, Windows and Mac clients is easy to get going.
It isn't that one weirdo anymore. We have a devops team now and they all
know and love native Linux tools, because devops tools run on Linux (or FreeBSD
or MacOS I suppose, but never Windows).
I'm going to be flying out to corporate HQ this afternoon for a week of meetings.
If I run into our CISO I'm going to ask him about this. He's an old friendly from when we were a much smaller org.
I'm going to be flying out to corporate HQ this afternoon for a week of meetings.
If I run into our CISO I'm going to ask him about this. He's an old friendly from when we were a much smaller org.
Unrelated - there was a well-known troll website that experienced a DDoS recently. Got a chance to watch how they responded, in real time.
There were able to keep a static portion of their site up. Dynamic forum content was a different story.
This got me thinking about how to build a DDoS resilient website. This used to be something I had filed in the category of "shit, I hope I never have to deal with this, head in the sand, I'll burn that bridge when I come to it."
Now it seems a lot more feasible. Route everything through a globally distributed edge network (CDN) like CloudFlare or CloudFront. Put a bit of code in edge to authenticate requests if necessary. Obfuscate your origin IP. Use auto-blocking rules if necessary. This all seems very doable and maybe even not prohibitively expensive with the right provider.
right, and if you execute well on it, it could be pretty bulletproof. Write a Lambda@Edge script to authenticate your bearer tokens; instant reduction in malicious traffic that makes it all the way to your true backend host.
Since when is Uber a "well-known troll website"? (Oh wait, that was a security
fail, not a DDoS...)
I'm currently doing some work for one of the more popular free speech social networks. Without the dynamic content, there's really no point in logging in at all. CDN can deliver the site framework and the code that runs it ... that's about all, unfortunately.
Writing to a FaaS platform sounds interesting for that purpose, if you can find one that supports multiple cloud providers.
I'm currently doing some work for one of the more popular free speech social networks. Without the dynamic content, there's really no point in logging in at all. CDN can deliver the site framework and the code that runs it ... that's about all, unfortunately.
Writing to a FaaS platform sounds interesting for that purpose, if you can find one that supports multiple cloud providers.
I am assuming he's talking about Kiwi Farms. Personally, I find Twitter and
Facebook to be MUCH more offensive than Kiwi Farms, but I am assuming that
the big corporate oligopoly (or as Josh calls them, "smug, dangerous perverts")
pressured CloudFlare into not only revoking service but possibly also helping
to compromise the site.
There is currently a user impact statement, prognosis, and technical explanation at [ https://kiwifarms.net/ ].
Let's be honest: Kiwi Farms *is* a well known troll website. That's kind of what they do. But I'm going to throw in my hat for their side, because (1) free speech, and (2) many of the people they troll deserve it. If weaponized karens can take Kiwi Farms off the Internet, then I should be allowed to take The Young Turks off the Internet for all the same reasons.
From a technical point of view, the idea of using a CDN to amplify DDoS attacks is an interesting one. I don't know if that's what happened but the potential for abuse is alarming. I'm sure Censorflare and the rest spend a lot of time thinking about these things though.
There is currently a user impact statement, prognosis, and technical explanation at [ https://kiwifarms.net/ ].
Let's be honest: Kiwi Farms *is* a well known troll website. That's kind of what they do. But I'm going to throw in my hat for their side, because (1) free speech, and (2) many of the people they troll deserve it. If weaponized karens can take Kiwi Farms off the Internet, then I should be allowed to take The Young Turks off the Internet for all the same reasons.
From a technical point of view, the idea of using a CDN to amplify DDoS attacks is an interesting one. I don't know if that's what happened but the potential for abuse is alarming. I'm sure Censorflare and the rest spend a lot of time thinking about these things though.
Trolling means trying to get a reaction. I'm sure some posters on KF do that, but for the most part they keep their discussions to themselves, and the rules are specifically intended to minimize outside influencing.
There is currently a user impact statement, prognosis, and technical
explanation at [ https://kiwifarms.net/ ].
Let's be honest: Kiwi Farms *is* a well known troll website. That's
kind of what they do. But I'm going to throw in my hat for their side,
because (1) free speech, and (2) many of the people they troll deserve
it. If weaponized karens can take Kiwi Farms off the Internet, then I
should be allowed to take The Young Turks off the Internet for all the
same reasons.
I am having trouble accesing the forum from here. Do you have any other place where I can read about what happened?
What little bit i saw, he got hacked ( using a rather sophisticated process i guess ) and its shut down until he can sort out the mess.
I don't think the forums are up right now. Or maybe I just didn't know where
to look. All I saw was a static site.
that is all i saw too. just the static 'we are f-ed' message ( in effect )
Mon Sep 26 2022 02:06:45 PM EDT from IGnatius T FoobarI don't think the forums are up right now. Or maybe I just didn't know where to look. All I saw was a static site.