Hi guys, if some of you are using RetroShare over I2P, please add me to your circle:

ABATxeFjmzv8pgGufEl3IT6TAxTfwbjsCaLHZ+biHt803TDGPDGXMgEGa2xvcHBvkEIAAAAEAApyZXRyb2JhbmhhcTJ6eHpvMmo0
M3FzYW5icXlvYm5sYXVqanh5eHFkenlkY3Vzb2E1NXpxLmIzMi5pMnAEAy1eVw==

 

Speaking of TP link, they may be banned shortly in the US like Huawei.  Even tho officially they are built in Vietnam, and funneled thru a company based in California.  And as of yet its just rumor so unsure what 'ban' means.  No more selling to state/federal entities? No more selling to anyone?  Or an actual purge and if they are detected on the wire, your ISP shuts you off?

i wonder which other brand paid off the feds to get that thru..  None of this is about national security, its all about money. ( i hear they are the most popular brand for home use so mega money coming in to replacements ) 

I suggest you take a look at RouterOS network flowchart.

Lots of operations can be carried out on specific hardware components, ie. if your router has 2 independent switches in its hardware configuration, the switches themselves can manage a lot of the traffic themselves without involving the CPU. However, as soon as you start doing layer 3 firewalling you will get the CPU involved for a high number of connections unless you offload it somehow.

Right ... even my little Mikrotik hEX (as I mentioned, a USD$50 router ... you're using it right now by way of accessing this site) has a packet switch on the SoC and will forward packets at wire speed if it doesn't have to apply any transforms such as NAT or VPN or whatever.  I like how there's an actual forwarding rule in the configuration for "fastpath" to manage and track what's being forwarded that way.  I believe you were the one who turned me on to Mikrotik some number of years ago and I've been a big fan ever since.

There, i fixed it for you  .  lol

To be fair, they do have a good ecosystem, but they always chose the lowest possible arm soc available so they could be the cheapest on the market, but marketed it as 'more capable' so people bought into it, and many were turned off due to the lack of performance, giving the ARM world a bad name for a long time.  If they had marketed it for what it was, i ( and others ) would not dislike them so much.

Fri Jan 24 2025 13:15:47 UTC from darknetuser Subject: Re: Trusting the new router

I am not aware of how RPI routers do it, but RPIs are pathetic pies of crap, by design.

Would make it more flexible. But i can see that happening on enterprise level stuff where you need the bandwidth.  But home and small office, a cheapo CPU is more than enough to push those bits around.

Tue Jan 21 2025 01:39:07 UTC from zelgomer Subject: Re: Trusting the new router

 For some reason we don't route through the CPU, even though it would just be configuration or metrics type traffic. That's why I assumed it had to be that way.

One of the weirdest things i have ever seen. 

Take new router out to closet, all it does is keep power cycling.  I thought it might have been something i had plugged into the USB port for power that was pissing it off on boot. ( my security cameras wireless connection point ). So i punted until today for when i was bored. Grabbed a usb plug for the camera thing and tried it again.  Nope.  Remove all the cat 5 cables. Nope,. still power cycling.  Pull it off the battery side ( that is working fine for everything else ) and move it to the surge only side. Nope.  Bypass the power "box" totally and straight to 110 outlet. Nope.

Bring it back in the house. Works fine, just like last time. 

wtf.

Yes i can get around it....

Option 1 - Move the router "inside" the house. But it also means relocating my 2 mini-servers that are out there now, the router, ups, camera endpoint, cables, bla bla.. so more stuff in my 'computer room/office' to deal with, along with my huge ass AI server box that is in here now. End of world? No. Annoying as all hell, yes. Noisier and warmer in here, yes.   Might be a power problem too having it all on one circuit. My AI box can suck up close to a KW at full blast.

Option 2 - Turn off WiFi on current router ( which is the current issue. being flaky now ), and stick this new one in the computer room for wireless only.   Would work with less space, but who knows how long the other is going to last since its acting up. And ill need another switch. Id be out of ports and do need a spare from time to time. Short of going wireless on my main PC i guess..

Option 3 - Move to another house that has plenty of room in the basement to do it all.  ( lol, id love to do that.. but nope )

and i know an option would be go build one out of one of these multi-port arm boards i have around here that are meant for that, and leave things 'as they are' as far as location and such. But i just bought this stupid thing. Be nice to actually use it.

Even lower than bottom..  considering the CPU In some of the commodity routers are worse than an RPI. 

I donno, the last one i had, was "push button" and it was fine for 8+ years and cost me like 50 bucks.   It gave me NAT, routed ports, reserved addresses. 6G WiFI.. it 'just worked'  ( and 1G ports so fast enough for me )

The new one, donno yet, i did get it ready, including all my IP/MAC reservations but not taken the time to take it out back and install it since its been chilly, a foot of snow, and the other started working ok again after the last power cycle. ( long story i have told before, weather matters unless its 'critical'  as that part of the house is 'outside access', at least until i get the energy to tear down a wall in the utility room and extend it out to this 'isolated room' thing )

Sat Jan 18 2025 21:54:01 UTC from darknetuser Subject: Re: Trusting the new router

  

It is not about fun. It is about having good service. I tend to go the manual way because otherwise you have crap service. Fun is just a bonus.

Ya i have done it all at one point too. 

But its not 'fun'.. anymore. I just want to push a button and it work.  Its just a router.. 

It's not all that uncommon.  I ran my home network without a "real router" for the first 17 years (1996 through 2011).  My main server had a local network connection and an Internet connection and passed traffic between them.  In the 1990s this design pattern was more common than you might imagine today.  Eventually I switched to a consumer grade router.  A lot of people are still enthusiastic about building their own routers, using VyOS or OpenWRT or pfSense or whatever.  Some will even just drop a Linux machine across both networks and run iptables etc. by hand, which I've also done from time to time.

There's no wrong answer.  You decide where you want to spend your time and what makes you happy.

No. Just getting tired of it all to be honest. My entire life i have 'done it myself'   ( see the hot rod and home handyman rooms for more on that.. )

Thu Jan 16 2025 00:33:02 UTC from zelgomer Subject: Re: Trusting the new router

What exactly does this mean, btw? Were you writing router firmware?

Nah they have zero interest in me.  The only capture of my data is side-noise.

Wed Jan 15 2025 01:19:03 UTC from zelgomer Subject: Re: Batman-model WiFi routers

To be honest, i'm less worried about the Chinese watching me than the
NSA. I am of zero interest to the CCP as i have no money, influence

Sorry to tell you, they're likely the same. Or at the very least there is probably cross talk.

Few years ago id just roll my own. But getting tired. 

Sun Jan 12 2025 11:00:35 UTC from darknetuser Subject: Trusting the new router

My policy is to not trust consumer-grade networking equipment. Quite often you can tell it comes with ok hardware, but they can't bother putting together decent firmware for it.

Its a TP-link. I forget the model without going and looking.  its a WiFi 6 thing. 

To be honest, i'm less worried about the Chinese watching me than the NSA. I am of zero interest to the CCP as i have no money, influence or secrets, but as i wont follow agenda i am of interest to the US government. Not being a target is one reason it didn't bother me to buy Chinese phones for many years ( they didn't have all the carrier crap, and were 1/4 the price for the same feature set, so it was a practical win ).

I was meaning trust more in the sense of just trusting the thing is going go work, and not go wacko on me or just do stupid stuff and be unstable.  Purely from the technical standpoint.

New router at home this week.  Old one is getting flaky and i bought it in 2018 i guess, so time to retire it. This new one, aside from an annoyance on the WiFi options, and it has monster antennas sticking out all over it like something out of a batman movie, has built in openvpn and wireguard servers, and client of some sort. I wonder if i should trust it and ditch my 2 VMs that are doing that now.

Well, that was fun.

Didn't make it to the office Monday like i thought so plans to test there fell thru.

Went ahead and set it auto connect to my phone then took the phone out to the back yard in the shade to get just enough signal to work. Grabbed a battery for the device and stuck it out there in the shade too..Ran back in the house, nope its not connecting.  Brought it back in, hit the console and it wasn't resolving the host name for my server. Really odd. The hotspot must be blocking normal DNS servers or something, i donno. So just stuck it in the hosts file, reboot and it was fine. yay.   

Then i noticed the storage drive was not being seen.. ( 1TB mini size m.2, 2242 i think? i forget the numbers ). Puled it apart, and the case was literally melted slightly.. Its toast.  Seems others have had the same problem, this stupid ass board eats m.2  SSDs for lunch.

Sun Aug 11 2024 12:57:07 EDT from IGnatius T Foobar

So did you get it to work? Wireguard's ability to punch through firewalls using the traditional UDP semantics is excellent.

It is interesting that UDP has become quite popular in recent years. HTTP 3.0 uses it, Wireguard uses it, mosh uses it ... seems like everyone's got a TCP replacement these days.

Up to the point of taking it somewhere to test.   While what i did is pretty close to being 'remote' ... i still want to test.

Might be in the office Monday for managers meeting,if so ill drag it along with me and do tethering off my phone since i actually get signal there and don't need to make a special trip. Can set it to auto connect so i wont need console access to the thing if i try some random wifi... ( of course might be in the office staring next month on a regular basis :( )

Sun Aug 11 2024 12:57:07 EDT from IGnatius T Foobar

So did you get it to work? Wireguard's ability to punch through firewalls using the traditional UDP semantics is excellent.

It is interesting that UDP has become quite popular in recent years. HTTP 3.0 uses it, Wireguard uses it, mosh uses it ... seems like everyone's got a TCP replacement these days.

to  me i think 'server' = the one i have to open endpoints on. When you said 'server at friends', that was what i was thinking.

Not real sure what a good value is for keep alive, figured that its a good idea no matter what unless i was trying to hide it.  Their example showed 25, and it worked here. So unless that is a 'bad' number ill just leave it at that.

Sun Aug 04 2024 13:38:05 EDT from darknetuser

2024-08-03 15:29 from Nurb432
client is at friends.  no way i can open ports. 

It makes no difference. ONly one of the endpoints needs a wireguard port to be reachable. In this case it has to be your big badass router at your home.

You may need to set a sane keepalive for the connection to survive through NAT if your friend's NAT is just sucky.

Did have to add keepalive this time.  Client kept dropping after a while. Might have last time too, but i didn't leave it for long, kept beating on it.

Not like im trying to hiding the client, so not a big deal in the bigger picture.

Guess its time to load the actual hardware, figure out the best way to test it without having to drive anywhere.  ( if i had cell signal here, be easy, just go wireless off that for testing but no, have to drive to the local park and if i do that, might as well drive 2x to somewhere that has actual wifi. ).   I guess i could setup a PC with external VPN, hang it off a 2nd router bla bla bla.   

client is at friends.  no way i can open ports. 

Sat Aug 03 2024 14:55:29 EDT from darknetuser

Home system in LAN 1 <> big badass router <> WAN <>lame router fromfriend's house < server at friend's LAN

.

Still waiting for my file restore... so took a few minutes to set stuff up again.

i'm back where i was before i started mucking around with the confg files more.

Server running.  Client connects, cant access my network OR the outside...  But i can ssh from server to it. So it will do the job.    

Ill snapshot both and mess with the configs later see if can at least get the client to hit the internet.  ( might want to do OS updates someday and not drive out to do it )

I think this is what i did, and it sort of worked then fell apart.  But ill try it that way again. ( hard part is testing.. last time i was screwing with VPN + VMs to get it off my network to test with, with intent to replicate it on the 'box'..  cell signal is too low here to tether )

Fri Aug 02 2024 21:18:38 EDT from darknetuser

New use case:
* Setup server at home. ( easy )
*snip*

Easy. Your home needs a static IP. Configure your home wireguard enpoint to accept a peer with a given key from address 0.0.0.0 (all addresses).

Then you configure the drop-in in your friend's house to peer with your home with address $YOURHOME. You may need to play with the keepalive settings in order to pass through botched NAT systems at your riend's house, though.

That is part of the problem i don't have any access to mess with the remote network. it has to be 100% transparent.  if i could screw with their network it would be a lot easier, id just open a port and 'dial in' directly.

( and no, im not secretly stealing network access... its a 'hey, can you plug this in for me and just walk away' situation. )

Fri Aug 02 2024 21:13:58 EDT from darknetuser

You need routing rules on both routers to allow LAN1 to see LAN2 and the other way around.

Oh and for worst case,  i could always use openvpn i know, as it would let me access local devices out of the box.   but was hoping to not have to go with 'automated reach down' if i could pull it off. 

Ok so going to start back up playing with wireguard. last time it didn't go well ( for my original use case.. so i modified it somewhat ). Losing a drive this week, and the bad weather ( with tornadoes again ) has made me want to tackle it again.

I know its not hard, and was trivial to get the basics running last time too, but im lazy so going to use the config generator at https://www.wireguardconfig.com/  as a starting point  ( for phones, it creates a nice QR code for you... which was neat  )

But  related to troubles i had before, trying to do fancy stuff , so using just 'basic' configs couple of questions :( and i forget how much i tried and didn't try and screwed around with at this point, it was several days before i threw in the towel and punted )

• The wireguard subnet config: should it be the same as my home subnet or unique.   ?  ( i was trying to get the remote devices to be ON my network last time. i gave up on that part as it was a mess )
• assuming its not my home net, and I cant predict the remote subnet, so not sure what a good one to use that no other home router might use by default so it wont conflict at their place. 
• Can the remote devices attach to devices on my network or is it just an internet pipe only. ( i remember getting that to work, forget how)
• if its on my subnet, could i ssh/sftp into one of the remote devices, or do i need to change the routing rules on the remote device?
• If its not on my subnet, could i still ssh(SFTP really) from the local server back into one of the devices, or is that yet more 'special config'

New use case:

• Setup server at home. ( easy )
• Drop remote device at a friend for family house. ( a bit of a drive, but that is the point )
• May have to move it on a regular basis
• i have no control over remote network. just drop and go.
• Remote device connects back here automatically ( easy )
• Using rsync ( either via ssh or direct network, like via NFS ) to backup local files out to the remote device.  ( rsync so its always deltas..)

Optionally

• restore files from remote site instead of driving out ( but may be moot, if im restoring from there, my house is most likely gone anyway.. )

Really dont care if i have to run it all from the server, or directly from my network ( the original plan that blew up on me ). Dont care if its automated or i type commands. 

Worst case

• i have no control over the device, so a cron job to rsync on remote device to reach down grab from local folders on its own.   Drive out to restore in disaster situation 

Still reading the details but seems cloud-flare will stop hosting an IPFS gateway and now its going to be 'transferred' to something called " interplanetary shipyard " Something fairly new it seems, and somehow tied to the IPFS project.

While it was nice that cloud-flare was offering bandwidth 'to the cause', they were also blocking addresses on demand, both for IPFS and Etherium..  Scumbag *ers. So it might be a good change. ( or worse, donno yet )

For the guy asking about firewalld

https://www.redhat.com/sysadmin/how-to-configure-firewalld

( disclaimer: i dont use it. I dont even have a firewall enabled on my servers. Only 2 ports are open on my external facing router and I have a upstream ngnix proxy that does all the incoming for me.

I forget what room it started in, but did finally figure out what was causing network to collapse after running a VM or Docker container on a Debian workstation, but not server. At least in my case, ymmv for other people.

"connman"  remove that, fix what it added to the network config file that breaks when its removed... poof .. works.  it gets installed with lxde and a few other desktops.

To help with WiFi, i put in network-manager, has a console interface to scan/attach to APs. 

Im sure there are other fixes involving messing around with ip tables and routing and stuff, but that is a brain dead easy fix.

lol

So that explains the tremors. 

Ok I just must share this story, since we are talking about networks and earthquakes.

Now you know I normally don't do tech support for anyone who isn't either sleeping with me or signing my paycheck (in other words, my wife and my boss can ask for computer help, everyone else can fuck off).  But I did build the network in our church building so I'll answer a call for help there, with the condition that it has to be a network problem -- no computer problems and definitely no printer problems.  As we all know, the three words that repulse tech people the most are "I can't print."

But parts of the network were out, and it's my day off, so off I go.  It was a weird problem, the core network was good, the wifi was up, but parts of the network were out.  After some simple tracing I found the culprit: the earthquake had shaken the power cord loose from one of the switches upstairs.

So that explains the tremors.  

Fri Apr 05 2024 16:18:49 EDT from IGnatius T Foobar

I ended up factory-resetting my router which solved most of the problems.

i suspect it hits an actual site, as the gateway could be up, but non functional. 

Could it be interference and just coincidental timing ? 

Thu Apr 04 2024 00:43:51 EDT from IGnatius T Foobar

. Maybe it pings the gateway or something. 

Ok, scratch the above. I tore both machines down, redid them. It works. i donno. Some days i hate computers. 

so a bit of frustration with my attempt at wireguard..

use case:  now that my off-site backup plan is ruined. i thought about dropping off a tiny ARM box with a couple of TB storage at my brothers house. Have it auto connect to my network, and once a week or so do an RSYNC over ( with z... compress the data )

Trying not to be fancy, 'just enough' to get the job done. Cant ask for ports to be opened nor do i want to effect brothers network at all ( and it might move to another house at any point so has to be self-contained ), so I figured id use either openvpn or wireguard and reach out, not in.

Openvpn - setup is easy, i have a server now for when i travel. But getting things so i can get back into the remote device, not so easy.

Wireguard, got it setup using some 'easy wireguard docker image' ( wg-easy ) that has a gui that creates config files for you, even QR codes. It worked for incoming just fine and was pretty painless. Problem is that its docker, so again, getting back to my device would be a pain. Either screwing with networking in docker, or perhaps a shell in the container, bla bla. But it did at least connect and work.

• Trying it on the bare OS using the below link.  I can only get it sort of working.
• Server, starts, runs properly. Client, i can connect manually using wq-quick but not yet as a auto start service ( systemd..bleh, but i can figure that out later once network is right ). But cant seem to get it to be reachable on my network.  Only can access the client via the server, using ssh. If what im doing just isn't doable, i guess a double hop via server isn't end of world, just not as convenient ).  
• If i follow directions exactly, and put both devices it on an unused subnet, i expect that to happen, but i also lose all connectivity out of the client, other than being able to ping the gateway..  Again, not end of world i as i 'could' use the server and ssh over.. but it should work.. it worked when i had the docker version of server going.
• If i change the IPs to unused addresses on my normal subnet, its pretty much toast.

So i guess the real question is, with the above issues, is he missing some steps? Or am i just a dumbass and missing something obvious?

Link im using -> https://www.stavros.io/posts/how-to-configure-wireguard/

Acidic?  I'm agreeing with you.  

Myself, if ( or when ) i was playing with cluster stuff to try a few things, id just do nested VMs on a larger host...   One cheap xeon would eat a room of PIs and be far easier to setup, break, tear down, rebuild, snapshot, bla bla etc.

Only reason id want to run a bunch of lower power would ARM boards would be for a true fault-tolerant ceph storage cluster.  Smallish ARM boards excel for that. ( tho id still not choose pi.. ech )  ok i guess there are 2 reasons.. the other is for the other use of cheap ARM ., embedded IoT.. but im more liable to use ESP32 instead these days.

And, im talking cheap ARM since RPI was brought up.  The high end, not throwaway cost stuff, of course i love for 'real' use, as everyone around here knows by now :) 

Thu Mar 14 2024 13:21:37 EDT from IGnatius T Foobar

I am sure I could build something with raspberries that would count as

a portable cluster.

Yeah, you could be a lillicluster whore like Jeff Geerling. Or you could buy one computer with enough power to blow away the biggest pi-cluster.

I know, I know, it's all proof of concept stuff. And for learning. And for whoring on YouBoob. In my case I don't care, I have access to a million dollar lab environment at work. My stuff is here to run actual workloads, and I'm going to do that as efficiently as I can.

ewwwww

Thu Mar 14 2024 12:33:39 EDT from darknetuser

I am sure I could build something with raspberries 

Normally if i'm not at my house, id use VPN ( or guacamole ) to get to whatever i want.

This as an odd ball edge-use case.  Was more relevant about the similar loss of network like docker, than the setup itself  :)

I dont see why you couldn't.   I was going to try it before i posted an answer, but of course the damned network was hosed on the container i just created. ( grr! )  and i dont have time to f- with it.   Not sure 100% how the video would work on console, but you can always install xrdp, x2goserver ( my preference for remote desktop access ), or even VNC. 

For what its worth - Reason i had the 'minimal desktop' on the host was so it was 100% standalone/portable, but with option to use PVE backup server across VPN. I can use the native browser to get spice/vnc sessions, remote Xterm, or just ssh, to access desktops in a vm. and the browser to manage the host. And no, i dont normally do that. This was an exception case as it needed to be portable and still have access to my backups, tho i have heard of people doing it on a regular basis. But i would think virt-manager + kvm would be better in most cases. 

Tue Mar 12 2024 09:04:57 EDTfrom IGnatius T Foobar

I'd be more interested in running a desktop environment inside an LXC container.

Can you do that? Yes I know, you're not supposed to do that, but I wonder if it's possible.

its tempting just out of curiosity.  

Last week, Meta, LinkedIn, and Comcast all experienced outages lasting between 1-2 hours that impacted users’ abilities to access widely used apps and services, including Webex, Salesforce, and Amazon Web Services. Join our webinar tomorrow as our Internet experts will walk through these events as seen in the ThousandEyes platform. For each outage, we’ll cover:

Standalone development machine.  Just enough to get a browser to work. 

Yes, an exception, not a rule.

Wed Mar 06 2024 04:16:46 EST from darknetuser

I also noticed if i install lxde on a PVE host it does the same
thing, routing to the outside is hosed.. but not if i install xfce4.
lxde has some extra network management stuff it installs..   a
pattern at least.

Why would you install a desktop environment on a PVE Host? You are not supposed to run services directly on the metal.

What is odd, is i blew away the box last night.. Setup PVE on it so i could play with this on VMs to make it easier to work with. ( snapshots and such between me dinking around with stuff )

The first test VM is working like it should be.. grrrr      Well after i loaded the correct version of Debian on. seems i cant read.. i installed the previous version the first round and didnt notice until i tried to install it " bla bla library version isn't available..  DOH" . I keep an old ISO around just in case.. 

I also noticed if i install lxde on a PVE host it does the same thing, routing to the outside is hosed.. but not if i install xfce4. lxde has some extra network management stuff it installs..   a pattern at least.

Not a lot of details yet, but just today found out that if you install most current docker.ce on Debian ( and i think Ubuntu ) it modifies your routing and in the process kills internet access for your host. But local network still functions fine ( might kill DNS too, i have mine off my router so it still worked )

Not just me, i see others asking what the hell is up too. 

Not yet looked to see what is going on.. but removed it, and networking is back.  I guess now i have a task for Sunday.

Grrrr

its been a few years, as the 2nd day i moved to fiber i got my dedicated IP ( a previous story )

But i think i had both a v4 and v6 address. I know i had v4 as is that is what i had/have setup for DNS, and of course it failed at first.  Of course only visible to my neighbors ( i assume. i didnt test.. ) This "neighborhood NAT" stuff was new to me so i just called to complain and didnt play with it any.    I guess i should add the v6 address too someday soon? 

Wed Jan 17 2024 03:12:37 EST from darknetuser

In DS-Lite your routing gear connects to the ISP using Ipv6 ONLY, then some router upstream gives you a NAT ipv4 tunnel to the outside world.

Wouldn't that be the case for anyone who is behind a neighborhood NAT too?  Or at your local coffee shop NAT.

At least effectively, since you cant get in from the outside.. ( or for us old timers, 'in thru the out door'... with luck you all get the reference )

Tue Jan 16 2024 18:24:52 EST from msgrhys

My isp does not provide ipv6, heh.

 

My isp does not provide ipv6, heh.

Tue Jan 16 2024 17:17:39 EST from IGnatius T Foobar

I'm actively thinking about how I want to set up my VPN mesh as I shuffle things around.

And yet ... I might not need it at all.  I'm slowly coming to the realization that just about every location has IPv6 now.  My hosting front end has IPv6, my home network has IPv6, and my smartphone is native IPv6 (from which it is derived that my laptop has IPv6 when I tether).

What are the reasons to use a VPN?  Reachability and privacy.  IPv6 solves the reachability issue, and just about every protocol now has its own TLS encryption now anyway.  So I might just go without!

Not me. I still want a wall up to the outside. 

I'm actively thinking about how I want to set up my VPN mesh as I shuffle things around.

And yet ... I might not need it at all.  I'm slowly coming to the realization that just about every location has IPv6 now.  My hosting front end has IPv6, my home network has IPv6, and my smartphone is native IPv6 (from which it is derived that my laptop has IPv6 when I tether).

What are the reasons to use a VPN?  Reachability and privacy.  IPv6 solves the reachability issue, and just about every protocol now has its own TLS encryption now anyway.  So I might just go without!

Right. However LoRa does have the range advantage, but its traded for speed. ( and isn't really native IP ) so i do see a place for both in the world. But ya, it might eat into some IoT use that LoRa has been dominating over.

And apparently its really low power resource use too.

Wed Dec 27 2023 13:17:41 EST from IGnatius T Foobar

Weird. So they're going to do something in the 900 MHz band, like 1st-generation cordless phones. I could see it taking some market share away from LoRa and Zigbee on the basis of "you already have it" if they start building it into consumer grade routers.

802.11 ah halow.  just heard about that today, seems interesting.  Be good for neighborhood mesh ..

Yes, yes it does.  And it works well.  I'm using it to build a virtual network across five (ok now four, since one machine moved recently) sites.  Some of the wireguard endpoints are individual machines, but others are gateways with subnets behind them.  Among the gateways, one is a virtual machine running the reference implementation, and one is a Mikrotik router.

At present, I have to manually establish links between pairs of sites.  There's no automatic full mesh.

Software such as Tailscale handles that for you, but it requires their server and their software on each endpoint.  I'm, looking for a standard way of automatically establishing a full mesh.

WireGuard has built-in routering.  You just need to connect your peers and WireGuard handles all routing internally.

So a mesh of friends...

Or am i still way out in left field :) 

so a public mesh , in effect?

WireGuard runs UDP.  Since it runs in the kernel, it can be any port you want.  Fun fact: there's no default "wireguard port" in the spec.

Thu Nov 16 2023 14:38:59 EST from Nurb432

Totally out in left field i know..and i could go look i guess

But is the protocol across UDP or TCP ?

Reason i ask office blocks nearly all UDP packets on public WiFi. and nearly all ports other than 80 and 443 and a couple others across TCP. I have a hard time getting anything to work. "we are so secure" yet they prevent people from using it to be secure too. Oh and while its not 'blocked' VPN use is forbidden on the internal network unless its theirs. You get caught you get fired.

Totally out in left field i know..and i could go look i guess

But is the protocol across UDP or TCP ?

Reason i ask office blocks nearly all UDP packets on public WiFi. and nearly all ports other than 80 and 443 and a couple others across TCP. I have a hard time getting anything to work. "we are so secure" yet they prevent people from using it to be secure too. Oh and while its not 'blocked' VPN use is forbidden on the internal network unless its theirs. You get caught you get fired.

You can still use KittyGuard!  Just make sure you do "doas pkg install -y miniupnpc" then configure KittyGuard appropriately.  KittyGuard uses the upnpc command to get its UDP port forwards for WireGuard packets to come in.

With WireGuard, there is no need to sit at the network edge, as long as packets can flow, you're good.  KittyGuard makes that part easy.

Thu Nov 16 2023 09:34:59 EST from IGnatius T Foobar

KittyGuard and Pritunl both look like they roughly exist in the same space as TailScale. Now that WireGuard is here it looks like lots of people are attracted to the idea of using it as an overlay network instead of manually stitching together point-to-point links as was the common practice with IPsec.

I like this approach. I like it a lot. And yet, I cannot use it. Actually I could use KittyGuard if my FreeBSD machine was sitting at the network edge, but it isn't. All of the machines at my home are sitting behind a Mikrotik router, which supports WireGuard natively. Yes, I know I could switch to any of half a dozen different open source routers running on a cute little edge device, but I spend my days designing and maintaining data centers and I gave up high-intensity home network sysadmin job 12 years ago. And anyway my home network is all Mikrotik, the router has the controller for the wifi access points, etc.

So anyway, I've got the Mikrotik handli

I spented the day workering on softwares.  KittyGuard v2.0 was released today.  Very nice.

https://gitlab.com/LadySerenaKitty/kgtools

I spent time in the garage, setting things up to be tossed that have not been used in a while ( like a vacuum pump.. ).

Sat Nov 11 2023 18:33:51 EST from IGnatius T Foobar

And to think ... I could have spent my saturday drinking beer and watching sportsball!

Neat

Site to site VPN ( from us to azure cloud ). As of about 5 am some traffic started being blocked. but not all..   in both directions.  And not just hard stops, some ports work, some IPs work, some dont. its not consistent.  

And of course both sides are pointing their fingers at the other side and we are getting nowhere.. 

lol. paranoid me did a search and didnt hit the link so never noticed.  Not that i dont trust YOU, but its habit.

Justification of existence.

And the constant change.. pisses me off greatly.  Make it work, leave it the F- alone.

Sun Jan 15 2023 05:40:08 AM EST from darknetuser Subject: Re: Netmaker -- an open source alternative to TailScale

The link you shared cannot be accessed from here so I just visited the main website of the project. I must say that I hate modern website design when it comes to hosting software products. The UX crowd masturbates so hard with them I feel the need to wash my hands after visiting them.

I found this interesting:

Hmm i thought it was more random and variable than that.

That is too bad.

So one of cloud flare's services is to block TOR access.  Since TOR exit-points can be any PC on the planet, how do they know? 

It does work, just not sure how it could, at least completely.

"nginx proxy manager"   Ran across this earlier this week and tried it out today. For someone who struggled getting config files to work right in 'raw' nginx, this is wonderful.

Within 5 minutes i had it installed, ( not including time to setup a vm +docker )  and 3 of my hosts setup. 2 now have ssl via the proxy, the 3rd is pass-thru ssl as the host had its own.

even tho i'm not fond of docker anything, I think i will retire my Apache proxy... 

Great..  Seems this weekend they move ALL our DNS records to be proxied by cloud flare. Even externally hosted apps.  we were told it was changing to transparent logging so was not expecting this..  They even moved department's stuff that didnt yet approve of being moved.

Explains why my stuff is slower today than normal. My test system timed out while doing some testing ( unrelated to CF ).. got a cloud flare message.   "oh crap.. no... they didnt...."

This could go in a variety of rooms.  

Got an AD today fro Amazon. Its a box to block radio signal so you can "use your router in safety"..

Um, if you are that concerned, turn off WiFi?

i will have to try that

There's no place like [::1].

Never mind i read that wrong.  Ya, that would be a one-and done without having to screw with the devices any..

Ok ill bite.Why should i choose google's over something like opendns or even cloudflare?

Mon May 30 2022 06:35:56 PM EDT from IGnatius T Foobar

Easiest thing to do, if you control the network, is to give *your* DNS server an address of 8.8.8.8

That explains a lot. 

Tue Apr 26 2022 09:19:24 AM EDT from IGnatius T Foobar

The exception is the DirecTV-branded ones, which run in the 500 MHz band because the feed from your dish *does* use the 1 GHz band.

Bit of a rant about ads/pihole earlier

Looks like my Android phones and Chromebooks are hard coded to use google DNS. I can change the Chromebook ( but not the phone. grr! ), but cant use only my DNS server, as it will break at the office.  And i guess ( never noticed before ) my Linux stuff is using what it found at install time, not changing it on the fly.  Also bogus. ( they are all DHCP, with reserved addresses on the router, and NOT manually setup )

Really, they should be using what my DHCP is handing out.  

When your up-link cable isn't clipped in and it falls out of your switch,  your network slows down. 

Bleh, hit send too fast.

My cable does NOT go to the pole. i cut that off a decade ago.  But its still in the house, and running cat5 IN the house to where i need it would be a nightmare ( i think i mentioned that, but if not, its due to stupid truss attic and stuff in the way ) and running cat 5 outside, would be costly..   So just using what i have. 

"Just use WiFi", interference around here is getting bad.  And sure, regular use is ok, but RDP and our stupid shop VPN, not so much. A little blip, and down it goes.

From what i can tell its just the new standard, bit more bandwidth and its not point to point, you can have several of the devices hanging off the same 'cable'.

Well, they arrived.  doubled my speed to the internet from my 'office' ( ~ 200m up/down now ) and a full 1gb to my servers... 

Not that 100 mb wasn't enough for the 'office', but since i had to replace the boxes anyway....

"was supposed to say 100m and 2 boxes"

Well, those coax/Ethernet adapters worked well for about 3 months.  Now network is up/down last couple of days. Bleh. 

They were cheap, DirectTV branded, no indicator lights ( not even a power light !?!?!? ) , so cant even tell if they are resetting, dead or what.   Ordered 2 more , WITH lights..  bit more expensive and not 'home units'. ( and 2.5g, and can support several boxes, not just 100m and 2.. not that ill do that, but still, better boxes )

Frustrating.  Was working so well....  

I think this is true to a point. There are always some of us willing to fight back - but you get to a point where you're like Soviet era Communist Russia, or current China - where being a dissident - they'll not only kick in your door at 2 AM and drag you to the re-education camp - your entire family and loved ones, innocent and unaware or not, will be waiting there for you when you arrive, having already received a good deal of "re-education". 

We're nearing that event horizon in the West. 

Mon Mar 21 2022 09:13:46 EDT from IGnatius T Foobar

It ends up being a cat-and-mouse game -- one that I am ok with, in fact, because the harder the pigopolists work to lock down the choke points, the harder the free world will work to build new systems that don't have choke points.

That level of Orwellian control with just create innovation in ways that the laws do not address - kind of like the way that black market drugs created illegal designer drugs that were different enough at a molecular level to evade the coverage of the law. Of course, they'll develop new laws, and the black market will figure out new ways to skirt them. 

How did that go with the drug war? Eventually, they just gave up and legalized the base drugs because - in part - the designer attempts to get around those laws were often worse than the harm they were trying to prevent with the initial laws. 

Bath salts and synthetic marijuana were worse than just relaxing marijuana laws. 

Same thing will happen here. 

Over regulation is *eventually* self correcting. I mean, the drug war raged from about the 30s until 2020 - almost 100 years - and at its peak it was brutally oppressive. But throughout that entire time, people were still getting high. 

And, they'r ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=2099295364Mon, 14 Mar 2022 16:44:55 -00002099295364@Uncensored

I think they had ( still have? ) a piracy tax in Canada on storage. "because you might mis-use that drive"

In this case they are blocking fundamental protocols. So you wont be able to get your hookup with Julia.. 

Can they stop it all. not easily but it can be done. "Only addresses we approve of ( ties back to US government wanting control over routing tables ), via protocols we approve the use of ( the commercial side of things ) and with encryption where we have the back door to ( government again )".  Any deviation = we cut your service and report you. You dont even have to be doing something wrong underneath, just the act of doing it is illegal. 

They can also mandate a 'tainted IP stack' to where you dont get a connection at all if they cant monitor your packets at the source ( like they have wanted for video output. for decades now ).   Its sort of what some of the ISPs did in the dial up days.  Not nefarious in their case, but the concept does exist.  ( and yes that is severely paranoid, but i no longer put anything past 'them' ).   

Oh,and remember that little copy of minix running on every modern x86 motherboard underneath whatever you install? Well, it becomes mandated, to kill off 'unencumbered' legacy systems.

Sun Mar 13 2022 01:39:45 PM EDT from ParanoidDelusions

We're going to see more and more of this - it was what I was talking about with rules for VR... 

They're going to sterilize the entire Internet/Metaverse whatever TF buzzword you want to use to describe being online - for the masses. It is mainstream and commercial now - and it'll be neutered down to the safest, most sanitized version possible - for those people. 

And the rest of us will be pushed further and further underground and off into the shanty-towns and ghettos of the Information Highway... far away in difficult places to reach that are very dangerous, very paranoid and very secure - and that require a strong understanding of what that means from an information technology perspective. 


Think of the slums where Winston and Julia meet in Big Brother. In fact, all of it is analogous. Big Brother, Oceania - certainly knows about Uncensored, about The Sanitarium, about who goes there, what they think and believe. As long as those places and people are containe

 




 

We're going to see more and more of this - it was what I was talking about with rules for VR... 

They're going to sterilize the entire Internet/Metaverse whatever TF buzzword you want to use to describe being online - for the masses. It is mainstream and commercial now - and it'll be neutered down to the safest, most sanitized version possible - for those people. 

And the rest of us will be pushed further and further underground and off into the shanty-towns and ghettos of the Information Highway... far away in difficult places to reach that are very dangerous, very paranoid and very secure - and that require a strong understanding of what that means from an information technology perspective. 


Think of the slums where Winston and Julia meet in Big Brother. In fact, all of it is analogous. Big Brother, Oceania - certainly knows about Uncensored, about The Sanitarium, about who goes there, what they think and believe. As long as those places and people are containe

"use commercially reasonable efforts to block BitTorrent traffic on its servers in the United States using firewall technology."


Translation: 

"The pirates will get around our reasonable efforts to block their traffic. It is what they do." 

They're just appeasing stupid people who think that once a picture of Axl Rose gets out onto the Internet, there is some way to take it back. 

Sun Mar 13 2022 13:16:13 EDT from Nurb432

Aside of one's feelings about copyright infringement, bit torrent is a protocol, not an action. This is stupid and a bad precedent.

https://www.pcmag.com/news/torguard-will-prevent-vpn-customers-from-using-bittorrent

Aside of one's feelings about copyright infringement, bit torrent is a protocol, not an action. This is stupid and a bad precedent.

https://www.pcmag.com/news/torguard-will-prevent-vpn-customers-from-using-bittorrent

So i read this as the feds want control of the routing tables? "dont let a crisis go to waste"

https://www.nextgov.com/cybersecurity/2022/03/russias-cyber-tactics-are-prompting-fcc-address-internet-routing-security/362616/

The West Coast is dense. Typically much smaller sized lots out here. You probably call them plats. Anyhow - my whole lot in Arizona is only just under 3000 sq. ft. bigger than my house in Ohio was (and the value is twice as much). 

Where we're dense - anyhow. The difference is, there can be a couple hundred miles of absolute NOTHING in all directions between two major urban areas... Like... empty... BLM *nothing* in all directions. 

Wed Mar 02 2022 17:17:19 EST from Nurb432

Around here it varies.  out in the suburbs there is a lot of signal, but it depends on what side of town. Some areas have large enough yard, you get noting. Others are sardine cans and you get plenty.. You also have lot of stores that broadcast. But, In town, out on the sidewalks not a lot. Buildings block it i guess :)  Further out into rural areas, forget it.  And of course once you hit country, there is nothing. Even if you see a house,  you are way to far away.

 

But i do think at least in 'average' suburbs like where i current live, mesh could work.  We are close enough together that you do get the houses immediately around you or as you walk down the street ( but not much more ). Now, get to the park, i doubt you would get any signal.  Ill have to try tomorow when i walk the dogs. 

Around here it varies.  out in the suburbs there is a lot of signal, but it depends on what side of town. Some areas have large enough yard, you get noting. Others are sardine cans and you get plenty.. You also have lot of stores that broadcast. But, In town, out on the sidewalks not a lot. Buildings block it i guess :)  Further out into rural areas, forget it.  And of course once you hit country, there is nothing. Even if you see a house,  you are way to far away.

But i do think at least in 'average' suburbs like where i current live, mesh could work.  We are close enough together that you do get the houses immediately around you or as you walk down the street ( but not much more ). Now, get to the park, i doubt you would get any signal.  Ill have to try tomorow when i walk the dogs. 

Absolutely agree that the value proposition of what commercial services offer is extraordinary... but it is the kind of shit you have to do - like - the service we tunnel through to host our Cits on... that irks me. Of course, regular consumers do not care nor do they understand... and I get why the big ISPs have these restrictions - with the kind of bandwidth they offer commercially - if your up matched your down and they weren't using DHCP - people would certainly take advantage of that for business enterprises. 

The value add that I see would be "no downtime, ever... no monitoring, ever... no limitations, ever... and free... the hardware would put you on a node-hopping IP network that... once you got past the initial hardware cost - would just "be there"." 

Phoenix may be somewhat unique - but the entire valley... as I drive around... it is just saturated with WiFi APs - *everywhere*. Everyone has security activated now - nobody has open APs... but if they were all open - you wo ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=2099293977Tue, 01 Mar 2022 22:21:24 -00002099293977@Uncensored

Ya it is amazing how far we have come.. in such a short time.

Tho i ( mentioned it before i'm sure ) saw cable broadband coming.  In one plant i worked at we did it in-house, ran IP across the same lines we ran the in-plant TV system.  Sure, it wasn't yet 'commercial ready' but i saw the potential as that was the early heyday of cable TV. Even discussed with our local ( rural ) cable company, but they were not interested.  "internet, what is that?"

I agree... you just have to sell them on it... you have to spin it so that they *want* to be on - maybe by incentivizing it. Much the same way that people give up all their personal data and agree to all kinds of tracking for access to free content on YouTube, Facebook, and other sites - you've got to make something so attractive about opting in that people would sign up. 

The problem would be that the incumbents have deep purses and lots of influence with the media - so any product like this would get hammered with public interest tech articles spreading FUD about it - and you wouldn't have the finances to combat it if you were deploying something like this for actually altruistic goals - right? I mean... the real reason this would be awesome is because it would defeat the stranglehold of big media on the Internet. 

So of course, big media would circle their wagons around making sure it failed. 

Mon Feb 28 2022 13:53:05 EST from Nurb432

Not 100% sure about that in this day and age, that it would be outright rejected. It could be "sold" correctly with good marketing. "you can use it when your internet goes down" Apple is doing it now, with their stupid tracking pods. I remember Comcast doing something similar, where if you had a WiFi router of theirs, they also let other customers attach to it, but separated from 'your' network.  I dont think anyone even noticed  "oh, whatever ok" ( they may still i donno )

Its enabled by default out of box, but you have to manually allow it to have internet. Few people would bother to go in and turn it off, even if they understood it. Call it a 'yet another guest network"

Mon Feb 28 2022 11:08:19 AM EST from IGnatius T Foobar

Would be neat if home routers came that way by default.   I wont
hold my breath, but it would be neat.

People would reject it unless it came with "free Internet".

Not 100% sure about that in this day and age, that it would be outright rejected. It could be "sold" correctly with good marketing. "you can use it when your internet goes down" Apple is doing it now, with their stupid tracking pods. I remember Comcast doing something similar, where if you had a WiFi router of theirs, they also let other customers attach to it, but separated from 'your' network.  I dont think anyone even noticed  "oh, whatever ok" ( they may still i donno )

Its enabled by default out of box, but you have to manually allow it to have internet. Few people would bother to go in and turn it off, even if they understood it. Call it a 'yet another guest network"

Mon Feb 28 2022 11:08:19 AM EST from IGnatius T Foobar

Would be neat if home routers came that way by default.   I wont
hold my breath, but it would be neat.

People would reject it unless it came with "free Internet".

The big ISPs would be sure to stamp it down tho.  And i suspect the government too.

Yup. That is what I mean. Something like... um.. the WPS button - but for node connecting. You could have more robust connections for those capable of implementing granular security - but something by default that would get all the morons on-board. 

Hell... you know what would be cool - if cell phones had an app built into where they could be the hop between dense urban wifi areas... so, once you got to the edge of the urban mesh, it would start hopping across cars to the next urban area. Latency would be high - because if a car didn't have a hop point... it would buffer the packets it was carrying until it got to somewhere dense. I bet you could transfer packets quickly from L.A. all the way up to Sacramento hopping along I-5 using this method. 

Sun Feb 27 2022 18:54:31 EST from Nurb432

Would be neat if home routers came that way by default.   I wont hold my breath, but it would be neat.

Would be neat if home routers came that way by default.   I wont hold my breath, but it would be neat.

Can't disagree with you there - but - the truth is, everything is zero-config plug-n-play these days. You could just opt in, it would generate a security and encryption key, and find the nearest nodes and join. 

I mean, SETI @Home - you just install a program, right? Make it that simple. 

I'm sure the ISPs are terrified of someone coming up with something like this and it being stable and useful. 

Sat Feb 26 2022 12:21:58 EST from IGnatius T Foobar

I've occasionally walked through New York City and observed that Starbucks could do their own mesh network. There are so many of those shops that each one is easily within reach of two or three others. Too bad the name "Starlink" is already used :)

What's your time worth, though? Unless you're an enthusiast, it's easier to just subscribe to a consumer grade Internet service and someone else maintains it for you. Most people don;'t want to be radio operators or network operators.

My idea is already implemented on some small scale in isolated urban areas... but when I moved to Arizona, I realized you could hop from one side of the city to the other without EVERY touching an ISP if there were commercial solutions built into home routers that would allow them to safely share bandwidth with other nearby routers. A one-button, opt-in solution. It would give you VPN like protections *and* avoid congestion *and* bypass ISP usage caps. 

And once you got to edge areas, you could logically bind lots of those routers to make an alternate backbone that would then tunnel through the ISP hops to nodes on the other side, in the next metro area - without consuming one participant's bandwidth. 

You could really make it so that the part where you hopped on the ISP for a big hop - they wouldn't really be able to stop it. Almost like torrents work. 

It seems like it would be more fault tolerant and easier to avoid censorship than the current TCP/IP implementation,

If my area was such inclined, i would setup a spare router to join in a mesh. ( or a spare machine, if my router couldn't do it )

For wifi they call that mesh..

But ultimately somewhere , someone has to get on the backbone..

Distributed Private Networks. 

Hardware based solutions where you go out, encrypted, to other devices, and then on to your destination. Kind of a hardware TOR solution, I guess. 

It is kind of a variation of my idea where we could bypass the ISPs and the authoritative segments of the Internet completely because of the ubiquitous nature of WiFi in dense urban and suburban areas. You would need a router that would act as a node, and all your neighbors would have the same router/nodes - and it would just get passed on from router to router to its destination. Big hops would require jumping onto their infrastructure still, I suppose - but you would basically share your bandwidth with everyone. 

I feel like the infrastructure to blow 5G out of the water is probably already installed in almost every house on every block - we just have to get the packet handling built into that hardware. 

Dermatois Papulosa Nigra? 

Speaking of VPN - what are your thoughts about DPN? 

It sounds kind of like my concept of using shared-nodes to bypass ISP providers almost completely. 

Oh, and i'm not really giving away any corporate secrets, stuff like this is public record for us, due to who we are. ( now the details, not so much.. )

While its not a "pubic network", we do have some public sites we host ourselves, but they are translated from something like 4 external IPs. Bunch of site-to-site VPNs both to cloud providers and vendor sites. That is what burnt us last time, we let a end point broadcast DHCP back into our network, and had an overlapping range. Some forgot to restrict that at the firewall.. Should have been SoP.

I dont know enough of why we had multicast turned on, or why turning it off wont hurt us if it was on for a reason.

We do have some 30k computers, mixed of WiFi and Ethernet, perhaps 10k servers. Guessing 20k cell phones on WiFi across several thousand sites. 15k or so hardwired VoIP phones. 2 remote datacenters, far enough away from each other that common weather or a nuclear hit wont effect all 3 at once..We do have various 'phone extender' things from ATT and Version spread around the buildings, especially in basements. Few thousand remote mobiles ( cars, trucks, etc ), on cell data back home via VPN. Tons of people coming back in from home via VPN. Lots of stuff.. everywhere...

Wait, we do offer public WiFi i guess with easy 20k more connections.. But ts a separate network, at least its supposed to be, so it shouldn't conflict? 

I will give them credit for keeping this mess alive, but when they do basic mistakes like this.. its frustrating.

Unless you run a public network... Why would multicast even get into your environment if its not used?

Since it was disabled it leads me to believe that multicast serves no function.... SO it sounds like a cop-out.

Tue Oct 26 2021 18:13:45 EDT from Nurb432

Total collapse of our network, again.  Sounds like more mis-management/incompetence? Or am i just in a bad mood and its not really their fault?

This time:

"A multicast storm into the core caused the routing process to fail. Disabling multicast routing resolved the issues"

That my feelings too. But they are not new, but after the last 2 mistakes, they should be gone.

Thu Oct 28 2021 09:36:13 AM EDT from IGnatius T Foobar

Sounds like inexperienced network administrators to me. Most of us make those rookie mistakes at some point.

Total collapse of our network, again.  Sounds like more mis-management/incompetence? Or am i just in a bad mood and its not really their fault?

This time:

"A multicast storm into the core caused the routing process to fail. Disabling multicast routing resolved the issues"

Right,that was my idea with AWS. 70 bucks a year, pretty quick to setup. 

Wed Oct 13 2021 05:29:59 PM EDT from IGnatius T Foobar

Keep your eyes open.  Although I hope to keep using Ace forever, it would be nice to have a backup.

Of course, I suppose one possibility would be to just get a cheap VPS from a provider somewhere, and just use it as a front end router.

Keep your eyes open.  Although I hope to keep using Ace forever, it would be nice to have a backup.

Of course, I suppose one possibility would be to just get a cheap VPS from a provider somewhere, and just use it as a front end router.

You could be right - I didn't pay a lot of attention to the details in the explanation. I'd have to go back and read for comprehension. :) 

Mon Oct 11 2021 08:30:40 EDT from Nurb432

Normally i would agree, but it sounds like you have to do port mapping, and currently, their apps dont support it...  So in this case i have to take his word for it.  Not going to pony out $ just to see.. 

Normally i would agree, but it sounds like you have to do port mapping, and currently, their apps dont support it...  So in this case i have to take his word for it.  Not going to pony out $ just to see.. 

I think you take people more at their word, and I believe their word is usually just them CYA and frequently you have to read between the lines... 

Which is why I'm a "better to ask forgiveness than permission," kind of guy. 

Sun Oct 10 2021 18:35:27 EDT from Nurb432

to me "at some point" implies it wont work, yet

to me "at some point" implies it wont work, yet

So this reads, "You can do it, but we don't want to know about it, and we won't help you if it doesn't work." 

Sun Oct 10 2021 18:20:13 EDT from Nurb432

Looks like its 'outbound' only for the time being, but may be on their radar at least..

 

"I appreciate your interest with our Dedicated IP, however port forwarding is not yet supported for this feature. In addition, web hosting though may be possible with using our VPN at some point, this is still not supported on our end. "

Looks like its 'outbound' only for the time being, but may be on their radar at least..

"I appreciate your interest with our Dedicated IP, however port forwarding is not yet supported for this feature. In addition, web hosting though may be possible with using our VPN at some point, this is still not supported on our end. "

there?  arrgh.  im tired. i know better, and i am not illiterate. .   *Their*

I sent a note off to there support people.  Will let you know what they say.

I was looking at AWS pricing the other day, looks like its somewhere around 70 bucks a year for a 'base' Linux VM on EC2.  I wonder if that might not be an option?

Sun Oct 10 2021 05:15:01 PM EDT from IGnatius T Foobar

Find out if they allow servers. I haven't found anyone other than Ace who allows servers, and I would love to have a backup option in case anything ever happens to Ace.

Never noticed this, but apparently my VPN service i use offered a 'static ip' option. Was setting up my phone and saw the option " apply key here "...   Might look into that to see how much, could be an option to stick some of my servers back on the open-net and not get DoSed to death. ( they are openvpn based, so no funny stuff needed )

lol. ran across a set of netware 3.2 manuals and guides in the garage.    ( i was a certified netware dude at one point in the 90's mostly useless but it did get me one job i guess )

no, wont donate those, into the recycle bin they go.

Cool. While it would not be my first choice, but it could provide an option in a pinch where moving their router wasn't practical.  If i ever needed to go down that route. The 2 things that is appealing to me would be not having to expose my home IP, and the 5mb bandwidth limitation to avoid a general DoS. 

So i have to ask, how did you pull off doing it in a vm.  

While i have business class fiber so i dont *need* it.  Might come in handy in the future. 

Agreed. I am not backwoods either - and have the same issue as Nurb. In large metro areas, if you want a static IP that you can open ports on to host, you're considered a business, and you pay business rates.


Even for a little hobbyist Citadel BBS.


Ace resolves this. They sent me a router, I hooked it up, asked them a few questions, got everything sorted and it just works. I pay $15 a month, they don't ask, I don't ask - my ISP just sees a VPN tunnel. It is all pretty awesome.

Mon Sep 20 2021 15:39:44 EDT from IGnatius T Foobar

How much stock from Ace do you own?

All of this is to say, I have no financial interest in Ace, I am just a very happy customer. I want other people to subscribe to their service because I want the service to be around for a long time.

Im not 'back woods' and here, our entire neighborhood is NATed by default.   So no direct open ports for you unless you pony up more $. Sure its doable, but then you are getting into business service territory, and doing the VPN may be cheaper, or at least competitive, AND you dont risk your home connection to DoS attack. 

My hosting provider for web/email ( business class ) limits number of emails going out, unless you pay more. Hell even O365 has limits that prevents me from using it at the office for the application i support ( i send out perhaps 300k messages a business day.. easy )

I dont know what it is, it has a sign that says 'antminer'  :)    Nah, id not actually seriously ask anyone to do that, they suck a lot of power at full speed ( about 2k watts each box, which i cant do here without melting my power bill, so only running one these days, low hash rate ). but having free power and cooling would be nice :) 

Buying solar panels and batteries one at time to put up next year for at least one of them, still at a low hash rate tho. But i'm still tied to weather as they are in the garage, to keep them out of the weather. Ifit gets above 90 i have to shut them down.  ( or move them inside and heat my house up, and run my AC costs up ).  Except for the noise, they make great space heaters in the winter tho.

Every time i see a empty power socket in the park or a solar farm or something i keep thinking, i wonder if i could back the jeep up to it and plug in for a few hours.  lol

Would love to be able to run 1000 of them in a building. make it a full time job.

Sat Sep 18 2021 11:48:06 PM EDT from IGnatius T Foobar

Is it a Tor exit node? :)

Too bad you couldn't return the hardware to them and get a discount on the service.

Since you have access to a air conditioned datacenter, i have something you can plug in for me. Its cooling fans are a little noisy but wont take up hardly any bandwidth when running. a few M a day at the most.. And in a full sized DC you wont hear the noise anyway.

cool

i do think its more than that, since they also do GUIs and stuff.

Agreed a lot of it talks via an API, but the 'toolkit' lets you build what happens after the data is collected

not a fan, but its an end-to-end thing

That sounds suspiciously like the same thing others call "serverless".

Enough with the silly terms.  We call that an API.

Its what Microsoft has branded as their ' low code' dev stuff. All cloud hosted.  Al tied to Azure. 

Wed Aug 04 2021 09:00:51 AM EDT from IGnatius T Foobar

WTF is a "power app" ?

WTF is a "power app" ?

Oh, i dont disagree its the right thing to do.. But my vendor, they are not thinking 'ahead'.  After the move to Azure, they are going to get in bed with Microsoft even more i guess, and start using power apps with web-hooks instead of writing 'real' integration engines. 

Rumor too is they are going to replace their native windows services ( like for workflows , emails, etc ) with power apps.  And migrate their piss-poor reporting engine to PowerBI.  ( reporting took a huge hit with this upgrade. it was not great before, now it sucks. and sucks bad.  Old days they used crystal, which i like and use every day, but it got too expensive to embed so they got some stupid delphi report tool that was 1/2 assed. Now its gone and the new one is 9/10 assed.

( or was that logic apps? i donno, its all the same to me. Microsoft stuff. )

All i keep thinking  is the end of my career is near..  just a little longer.

They wont. Its a 100% shift.

Even lost their AWS people, not hiring more.

Tue Aug 03 2021 09:53:09 AM EDT from IGnatius T Foobar

 

Tho all that said, this winter ( or coming spring ) we get moved to Azure, so all bets may be off? 

The smart money would be on distributing the load between AWS *and* Azure (and elsewhere if needed), and running command and control from neither.

Hybrid is really hot these days.

Tho all that said, this winter ( or coming spring ) we get moved to Azure, so all bets may be off? 

The smart money would be on distributing the load between AWS *and* Azure (and elsewhere if needed), and running command and control from neither.

Hybrid is really hot these days.

Until your 2nd comment, I was going to say i dont know how they are doing it, its all in the vendors hands so it could have been 'magic'.  We just said ' we need static ' and they made it happen. These are via non-public addresses routing only across the VPN, but i think the public side is too. While we added friendly A record DNS entries for what they gave us on public facing, id imagine they needed to be static. Or what they gave us was an A-record type of thing on Amazon side. Donno if that is how it is, or if that would even work, as never needed to look that far into it: "its the vendors problem".  But the internal traffic is 100% IP. 

They do have a problem that when they rebuild a server they cant pre-define the IP or set it themselves afterwards ( only the subnet ). Might get the same IP address back, but chances are slim. This hosed us a couple of times, as they forgot to tell us they did it and it changed, so everything we had internal broke. ( after the 2nd time we did open the entire subnet on the few ports we needed so down stream to us didnt need changing on the firewalls. but anything we were doing back up the VPN to them of course was hitting servers that no longer existed )

Tho all that said, this winter ( or coming spring ) we get moved to Azure, so all bets may be off?

Short story short of WHY we do this:

• They provide a web based app, hosted on windows servers + MSSQL, now under their control being hosted in their AWS cloud. It used to be on site ( had a temporary CTO that basically said ' if your vendor supports it you are moving to cloud" even if it didnt make sense for your app ). Id love to move it back. Been nothing but problems since we moved.
• Automation on their end reaches back down to things on our network for bits and pieces. Some of it read-only some R/W. So ports have to be open. Stuff like AD, or SCCM, solar winds, on-site SQL servers and various API calls to other apps we have. Some of our apps also reach back up to their SQL But all things that do NOT go across the internet.
• Reporting runs on site, so i have to reach back to their SQL servers. Same here, no internet access to SQL. While its technically possible of course, security team would take us about back and shoot us. The data in there is way to sensitive to allow it.
• The front end for users, IS availble on internet. As is their API. We jumped thru hoops for several years ( unrelated to the AWS move ), and finally got approval for internet facing, IF we had SSL ( duh ), SSO + MFA. ( and its subject to be pulled at any time ) So web clients, 90% no VPN for them.   Problem is 10% of my users cant do SSO/MFA as they are not part of our Azure tenant, so they have to access the web app across the site to site VPN and be on our network, or stop using the system.   Randomly changing IPS would effect them too.  Another agency that is trying to get their own install since we are not secure enough for them to share ours, i guess they are limiting who can use SSO by login, forcing their admin logins to be onsite. In my case its AD-forest based, and not a planned restriction, i just cant do it.

Sun Jul 25 2021 11:58:32 AM EDT from LoanShark

OBTW, amazon's native load-balancer product (1st-generation ELBs, 2nd-generation ALBs/NLBs) cannnot have static listen addresses. If you want that, I'm pretty sure you're rolling your own.

Which in our case, would have the static IP.  

I agree consumers wont care about what is behind it. .  But we care about the LB

Fri Jul 23 2021 02:13:02 PM EDT from IGnatius T Foobar

"Cloud native" software doesn't care because it will usually do something like start itself up and then register with a load balancer.

In a cloud environment, things like security and name services are often handled out of band.  If you're implementing their whole stack, the IP address doesn't matter a whole lot.

In a good cloud environment, launching a virtual machine that is intended to be persistent ought to offer an address lease that is long enough that it is essentially permanent, because in the real world, people use IP addresses.

"Cloud native" software doesn't care because it will usually do something like start itself up and then register with a load balancer.

Ya, sounds like we are in different environments.  Our way would not work for you, and vise-versa 

In our cases its specific 'apps' these people provide, so locking them down is the best way to go.

If they need to be wide open, then it happens via internet, not via VPN.  For us VPN is meant to be for restrictive, secure stuff.  So we lock it to IPs and ports. ( sometimes IP ranges.. but that would have prevented this mess the weekend too ).

We dont use the vendors DNS ( another security risk ) so going by name isn't an option really. Sure we can setup records in ours, but if it was going to change often, not going to add that overhead to us. And i am not even sure if our firewalls can do DNS in this case, and needs IP ( donno, i could be wrong, its not my gig. its cisco gear ). 

Mon Jul 19 2021 09:01:52 PM EDT from LoanShark

2021-07-19 18:57 from Nurb432
My vendor, which uses AWS can pin their IP.  Load balancers for web
servers, the web servers themselves, and SQL.   

So i disagree its unavoidable. Just demand it, and you get it.

It can be done in principle. You can configure an explicit IP before instance launch, for example.

But this isn't everything. Insisting on static IPs for everything would rule out whole parts of the AWS technology stack, for example you would never be able to use the `awsvpc` network mode on ECS.

And there's a lot of dynamic/automated stuff that's considered best-practice these days which would not be able to do.

My vendor, which uses AWS can pin their IP.  Load balancers for web servers, the web servers themselves, and SQL.   

So i disagree its unavoidable. Just demand it, and you get it.

Mon Jul 19 2021 06:19:22 PM EDT from LoanShark

2021-07-19 15:13 from Nurb432
If you have dynamic addresses on servers, you are doing it wrong ( at
least in my book ).

That's just the way it is, in the cloud, it's unavoidable.

If you have dynamic addresses on servers, you are doing it wrong ( at least in my book ).

Mon Jul 19 2021 03:06:16 PM EDT from LoanShark

Among other things, address allocations for individual machines are so dynamic these days that publishing routes at such a fine-grained level can be prohibitive in certain environments.

To a vendor, you only allow specific IPs and specific ports.  Running it wide open like that is a HUGE risk. You start with zero trust and work from there.

Mon Jul 19 2021 11:49:11 AM EDT from LoanShark

Then what's the point of creating a VPN link to your cloud host if you can't route traffic over it?

Office network wend down last night after losing a couple of sites due to weather, this was the reason:

Wow. That is amazing. I'm going to ask about ALL of my old, obscure, unsupported hardware here on Uncensored before I throw it away. 

Not being sarcastic - this was excellent info. 

Fri May 21 2021 11:34:37 EDT from IGnatius T Foobar

Ah, I see, the 1018 isn't a "real" HP printer, as in it doesn't use any normal HP technology and does not speak PCL.  It is a "Zenographics" printer with its own language.

This particular bastardization of printing appears to be supported by the "foo2zjs" project [ https://github.com/koenkooi/foo2zjs ].   Since foo2zjs gets included along with CUPS in your typical Linux distribution, this probably means that Linux will support that printer for much longer than Windows or Mac.

Pretty sure that is the driver set i used. ( i forget now, i just installed 'stuff' and it worked. didnt pay much attention since its all pretty routine, once i found the HP driver would not compile anymore due to my OS version change )

Fri May 21 2021 11:34:37 AM EDT from IGnatius T Foobar

Ah, I see, the 1018 isn't a "real" HP printer, as in it doesn't use any normal HP technology and does not speak PCL.  It is a "Zenographics" printer with its own language.

This particular bastardization of printing appears to be supported by the "foo2zjs" project [ https://github.com/koenkooi/foo2zjs ].   Since foo2zjs gets included along with CUPS in your typical Linux distribution, this probably means that Linux will support that printer for much longer than Windows or Mac.

Ah, I see, the 1018 isn't a "real" HP printer, as in it doesn't use any normal HP technology and does not speak PCL.  It is a "Zenographics" printer with its own language.

This particular bastardization of printing appears to be supported by the "foo2zjs" project [ https://github.com/koenkooi/foo2zjs ].   Since foo2zjs gets included along with CUPS in your typical Linux distribution, this probably means that Linux will support that printer for much longer than Windows or Mac.

Well i did say its nearly 20 years old :)    And i was wrong on model its a 1018.  

Me too. 

Oh, and i dont blame them for dropping support on a 20 year old printer, i dont expect support forever..  But if they didnt do all that firmware crap, they wouldn't have to.  just support PCL, or Postscript ( showing my age there ) or some other more modern standard and be done.

Ya, my next wont be an HP. After several over the decades.

Used to be one of the best, now they are evil crap. 

Right. just mine ( and a few other old 'windows centeric' ones too im sure )

Wed May 19 2021 07:20:11 PM EDT from ParanoidDelusions

Oh. For your printer. 

 

Oh. For your printer. 

Really? HP has dropped support for Linux *and* OSX? 

Except HP :)  They dropped support for OSX on this printer, and stopped updating the Linux driver install er so me moving beyond Debian v9 blew that too.  My first go around was just to install their drivers like i did before. but nope. So i went went 'generic' CUPS and saw that.  But as long as CUPS keeps working i'm ok. just that message i saw lead me to believe i was screwed here in the near future. 

I dont print often, mostly mailing labels and perhaps a sewing template or a recipe, but its nice to be able to do it when i want and not have to buy a new printer when mine works just fine.

its all about having to download firmware to the printer every time you print. Stupid design. Stupid idea. Should have been illegal. 

Wed May 19 2021 03:52:12 PM EDT from IGnatius T Foobar

I'd disregard that unless you're building an operating system of your own.
Every Linux comes with not only CUPS but a very rich set of drivers from several different sources, including some contributed by printer manufacturers.

Its an HP, 1212 i think ( or similar at least, I'm too lazy to go look on the back )

About 3 months ago when i reloaded my OS when i switched desktop hardware ( stopped using a NUC and went back to my xeon since i wasn't able to mine ether with it anymore. My 2 video cards were too small as the DAG reached above 4gb - arrgh ), it was time to reload cups too. And during that process CUPS people " we are no longer going to be supporting native drivers soon, you must upgrade to a 'air print' printer" or some such nonsense. The way it was worded sounded like they are actually pulling support for loading native driers in a coming soon version and not just no longer to continue to add more. 

I fully support the idea of stopping to add new ones if that is what they want to do, but cutting off what is there and works now, rather dumb. 

Wed May 19 2021 02:08:21 PM EDT from IGnatius T Foobar

What kind of printer is it? Something that only has USB? As long as it speaks some version of PCL, CUPS will always be able to support it, probably for far longer than the "official" HP drivers ever will.

But even for my quarter-century-old LaserJet 5, I can still get HP drivers for Windoze 10. And I might just go ahead and do that big expensive PostScript upgrade that was megabucks back in the day but probably $10 on eBay now. :)

I only recently ( perhaps 10 years ago ) dropped my parallel port printer laser ( i used a jet direct with it to get it on my network. ). And now, HP does not support the new one and i guess CUPS wont either shortly, so soon i wont be able to print unless i replace it...  grumble..  

Tue May 18 2021 02:53:48 PM EDT from IGnatius T Foobar

Can you save PDF to flash?  Or is that blocked?

Not blocked, but it would certainly be a nuisance. I think most people just print through USB. Or if they have a printer that isn't 25 years old like mine, maybe Bluetooth. I've got a USB-to-parallel adapter, but it only has a three foot cable and the computer is about seven feet away, and I'm too lazy to get an extension.

Hmm didn't mean for this to be here. sorry. It was work related. the POS software i support at the office.  

Tue May 18 2021 11:55:06 AM EDT from Nurb432

Damnit. Re-enabled a feature i turned off a month ago, takes the entire system down. 

 

WTF POS software

Damnit. Re-enabled a feature i turned off a month ago, takes the entire system down. 

WTF POS software

Figuring out how to do brick level backup and restore of Exchange was enough. But of course, they went, "you figured THAT out... and no one else could... why don't you try THIS..." 

No good deed goes unpunished. 

Tue May 18 2021 08:57:44 EDT from Nurb432

lol

lol

Yeah, once I had to start learning GPO... I kinda went, "I think I'm done doing IT administration." 

Mon May 17 2021 11:42:04 EDT from Nurb432

We have an entire team dedicated to it.  And at times, they still struggle. 

We have an entire team dedicated to it.  And at times, they still struggle. 

GPO is brutal. It is super complex to understand and set up... but... it certainly addressed concerns about not being able to lock down Win ADs tightly enough - if someone is willing to learn it. 

Mon May 17 2021 06:55:55 EDT from Nurb432

Its not VPN in our case that does it, its a GPO setting that even as local admin i cant undo: Our windows load only lets you use one network adapter at a time. 

was sort of a pain when i was moving from home/office once a week. Id switch from wire to WiFi and have to reconfigure my adapters..Later our WiFi at office got good enough i could just use it in both places, but then later after that I had to install a 2nd dedicated WiFi adapter or i was forced to use VPN at work too, as security team at some point decided if you were not logged into one of our boxes ( either windows, or mobile iron ), you only got public WiFi.  So public for my host, and usb WiFi for the windows load.  They used to make exceptions for people like me "just gimme your MAC " but that went away.  i guess it was too much trouble for them to do.  And no mobile-iron for Linux...sooooo

 

Mon May 17 2021 01:18:37 AM EDT from ParanoidDelusions

I mean, technically - if you've got a notebook, and you connect to the VPN over the notebook's ethernet through a DSL connection - but you've got the WiFi hooked up to an internal network... does the VPN shut down the other network? I understand the issue is that you're allowing an outside, insecured network a bridged connection into your internal network through the VPN tunnel if that happens. 

 

 

Its not VPN in our case that does it, its a GPO setting that even as local admin i cant undo: Our windows load only lets you use one network adapter at a time. 

was sort of a pain when i was moving from home/office once a week. Id switch from wire to WiFi and have to reconfigure my adapters..Later our WiFi at office got good enough i could just use it in both places, but then later after that I had to install a 2nd dedicated WiFi adapter or i was forced to use VPN at work too, as security team at some point decided if you were not logged into one of our boxes ( either windows, or mobile iron ), you only got public WiFi.  So public for my host, and usb WiFi for the windows load.  They used to make exceptions for people like me "just gimme your MAC " but that went away.  i guess it was too much trouble for them to do.  And no mobile-iron for Linux...sooooo

Mon May 17 2021 01:18:37 AM EDT from ParanoidDelusions

I mean, technically - if you've got a notebook, and you connect to the VPN over the notebook's ethernet through a DSL connection - but you've got the WiFi hooked up to an internal network... does the VPN shut down the other network? I understand the issue is that you're allowing an outside, insecured network a bridged connection into your internal network through the VPN tunnel if that happens. 

 

I feel like I used to get around Intel's non-split tunnel to allow me to print while I was connected to the corporate VPN to my local printers. 

But... maybe not. Maybe I had to drop VPN in order to do that. 

I mean, technically - if you've got a notebook, and you connect to the VPN over the notebook's ethernet through a DSL connection - but you've got the WiFi hooked up to an internal network... does the VPN shut down the other network? I understand the issue is that you're allowing an outside, insecured network a bridged connection into your internal network through the VPN tunnel if that happens. 

Maybe I just e-mailed documents to myself and printed them that way. It was a long time ago - and I remember that *some* of their VPN policies I couldn't get around, and others I didn't want to try, because they were sound policies. 

Sun May 16 2021 14:38:13 EDT from IGnatius T Foobar

Correct.  A multihomed host sits on two or more networks.

Our VPN is non-split-tunnel; when you're connected, you can ONLY make connections to the corporate network.  This both sucks and blows if you want to print something and your computer isn't within USB distance of your printer.  I have to print over the Internet back to my home printer, using a port I opened on the firewall to permit print jobs to connect from the address I know the VPN site will go back out on.

Where are the HTTP logs? I should probably review those. :D 

Sun May 16 2021 14:23:19 EDT from IGnatius T Foobar

You're too nice. 

Just lazy.  I could be a lethal digital vigilante if I wanted to spend the time.  I am satisfied enough by offering my sister to every madarchod who calls to sell me an extended warranty on my car or credit card services.

Let 'em make noise at my door.  They won't get in.  There are only a few SSH accounts and they have good passwords.  It's even more fun to watch the HTTP logs.  They're constantly trying every PHP vulnerability in the book.

Can you save PDF to flash?  Or is that blocked?

Technically it is here, but i can share a 'folder' to my VM and get around it, if i really needed to. Last time i did that was when i wanted to give my vendor some logs while they were on site, they were too big to email ( several hundred meg ) and they could not get their SFTP running.. And to get an account on ours, is like running for congress with no money.

So i shared it as a folder, not a USB device and poof, copied the stuff over.

In the past i have had to use my home machine... but the files were huge and they were here for a change and not in the UK.. 

Correct.  A multihomed host sits on two or more networks.

Our VPN is non-split-tunnel; when you're connected, you can ONLY make connections to the corporate network.  This both sucks and blows if you want to print something and your computer isn't within USB distance of your printer.  I have to print over the Internet back to my home printer, using a port I opened on the firewall to permit print jobs to connect from the address I know the VPN site will go back out on.

You're too nice. 

Just lazy.  I could be a lethal digital vigilante if I wanted to spend the time.  I am satisfied enough by offering my sister to every madarchod who calls to sell me an extended warranty on my car or credit card services.

Let 'em make noise at my door.  They won't get in.  There are only a few SSH accounts and they have good passwords.  It's even more fun to watch the HTTP logs.  They're constantly trying every PHP vulnerability in the book.

As a matter of fact, can we get something like this as an opt-in feature with the easy-install? 

"Proactive Security? Y/N?" 

Sat May 15 2021 22:19:07 EDT from ParanoidDelusions

"Account Authenticated, the SSH key of the machine you are connecting to does not match the one stored on this machine. Click YES to accept the new SSH key." 

"Congratulations N00b - you're infected. pWn3d."

 

Sat May 15 2021 22:17:39 EDT from ParanoidDelusions

The thing about randomly knocking on doors is - you never know who might answer. 

 

Sat May 15 2021 22:16:33 EDT from ParanoidDelusions

You're too nice. 

 

 

 

"Account Authenticated, the SSH key of the machine you are connecting to does not match the one stored on this machine. Click YES to accept the new SSH key." 

"Congratulations N00b - you're infected. pWn3d."

Sat May 15 2021 22:17:39 EDT from ParanoidDelusions

The thing about randomly knocking on doors is - you never know who might answer. 

 

Sat May 15 2021 22:16:33 EDT from ParanoidDelusions

You're too nice. 

 

 

The thing about randomly knocking on doors is - you never know who might answer. 

Sat May 15 2021 22:16:33 EDT from ParanoidDelusions

You're too nice. 

 

 

Hell, why not "root/root" with it instantly dumping a *terrible* Windows virus back on them when they connect? I'm sure you could do that. 

And imagine how many script kiddies you could take out in a day. Leave .txt message on their freshly formatted C: Drive. "Next time, I run your credit until you're 80, asshole." 

You're too nice. 

Sat May 15 2021 14:26:44 EDT from IGnatius T Foobar

Any port on any address will be scanned, constantly and hard, by black hat scumbags, mostly from China (but occasionally going through proxies elsewhere made out of machines they've taken control of). This is true regardless of what hardware and software you are running. It's just a fact of life right now.

There are some tricks I've employed over the years that seem to work pretty well.

One is to set up an account with a very obvious username, like "admin" or "oracle" or "guest" or even "root" if you're able to use it, and the password should be the same as the username. The moment that account is authenticated successfully, the system should block the connecting IP address. That slows them down for a while. You might call this a slightly modified honeypot strategy.

Another is to slow down the rate at which they are able to establish new SSH connections. For example, the following iptables rules will block an IP address if it attempts more

Speaking of all this. i think its time for me to setup my guacamole to 2FA, or take it offline to the outside.  Any more its turned off since i work from home now, but that will change eventually.

Unsure how 'safe' openvpn is with keypairs.  I guess safe enough?

Right, but if i split my ports up, then my reverse proxy isn't there to die due to the load. Yes i could find another. but at this point its not worth the trouble.  

Sat May 15 2021 02:26:44 PM EDT from IGnatius T Foobar

Any port on any address will be scanned, constantly and hard, by black hat scumbags, 

Multihomed usually refers to a device having two  (or more) physical NICs, each on a separate subnet. Sometimes you would use a multi-homed machine to make certain things accessible outside, certain things inside. Other times you would use a second NIC as a heartbeat or maintenance network (for example, running large backups on the second nic isolating that backup traffic from the main network)... 

 

Tue May 11 2021 20:15:57 EDT from Nurb432

 

Perhaps multi homed isn't the correct term, but its what we always called it.

 

 

Tue May 11 2021 07:53:17 PM EDT from IGnatius T Foobar

 

I have copy/paste turned off ..  And our VPN is no longer multi homed, so when its on, its really off my network.

By that do you mean that it is not running in a split tunnel configuration?  That's pretty typical these days.  And it's a good idea ... until you need to send something to your network printer at home.

 

 

in the old days the routing was split so you still could do things like that.  Back then we also would run it on our personal computers and few of us had laptops.  So anything that didnt need an office IP went out your own line, like messaging, gmail, printing, whatever.   Mostly for work we just would RDP back to our desktops, or a server. They all had the apps we needed, not our home device.

Once that was taken away most everything you would want to do, like check your personal mail, quit due to firewall rules on the office side.  I moved to a minimal VM the next day, dedicated to VPN+RDP.  Tho i did have both laptop and desktop, my laptop at the time was mostly for presentations when i would visit clients it dint have the horsepower to do my real work. That changed 2 or 3 years ago for me, but i still didnt carry it home on a regular basis.

Now its either a shop VM like i do or an actual 2nd device since nearly everyone got a laptop that didnt already have one when we were all sent home last year. Now even people that come into the office, keep their laptop, and are told they must take it home every evening. "just in case of disaster". That was being floated even before the virus forced the issue. We had a flood in a floor below us, took out every desktop  "see you cant rely on RDP".. which i guess is true, when you dont have a VDI infrastructure to handle 1000s of people at once.. 

Of course now more ( most ) of our apps are web based, and externally accessable.. not all, but most. A lot has changed over the years. Some dont need anything other than a browser. ( im close, still a couple of fat clients left for me )

Perhaps multi homed isn't the correct term, but its what we always called it.

Tue May 11 2021 07:53:17 PM EDT from IGnatius T Foobar

 

I have copy/paste turned off ..  And our VPN is no longer multi homed, so when its on, its really off my network.

By that do you mean that it is not running in a split tunnel configuration?  That's pretty typical these days.  And it's a good idea ... until you need to send something to your network printer at home.

 

I have copy/paste turned off ..  And our VPN is no longer multi homed, so when its on, its really off my network.

By that do you mean that it is not running in a split tunnel configuration?  That's pretty typical these days.  And it's a good idea ... until you need to send something to your network printer at home.

I was at a Defcon a few years back and saw a seminar where they were talking about the challenge with port-scanning was that it was really slow on a global scale. It would take forever to go through and scan all open ports on all public IP addresses around the globe. The presenters had developed some new solution that could scan the entire globe in a matter of hours... and they were demonstrating how they were finding back-door portals to things like internal police booking systems that were not password protected - "unpublished" sites that were relying on just having IP addresses instead of URLs for their "security".

I can't remember all the details - but I would assume that an increase in volume has come from white-hats doing these kind of scans, but also black-hats getting the technology and using it as well. 

Combined with increasing numbers of script-kiddies just hammering on any open port on any public address the old fashioned way - it is rush hour on the dogs sniffing your I

Tue May 11 2021 09:03:21 EDT from Nurb432

fail2ban helps with the script kiddies.

 

However, i have run into a problem that i didnt have in the past when i was running tinyproxy.  After a bunch of open connections it sort of gets lost and does not really hard fail, but quits working. Only a reboot fixes it ( not even a service restart ) i upped the limits, and dropped the timeout , but i'm sill getting flooded with connections, and they are not closing their session, so it builds up, fast.  It seems they are from random IPs so fail2ban isn't blocking them first.  I guess things have got worse over the years in the volume of constant attacks ( might also be partly due to me being on a different ISP now with far more bandwidth. I was on Comcast back then, now its a fiber company ). Even before it dies, it starts slowing down due to the hammering. 

This most likely was causing the problems i thought i was having before that caused me to look for something else ( ended up with pound ). i was sure it was just me and i had it mis-configured due to poor memory of what i did last time, and then after that thinking citadel wasn't responding. Pretty sure now it was just due to me being hammered to death.

For the time being i shut it down, i may end up having to run on odd ports after its all said and done. Not that its a fix for the attacks, but if i dedicate various ports to each app ( what i was trying to avoid ) at least things will work.

 

Frustrating.

 

fail2ban helps with the script kiddies.

However, i have run into a problem that i didnt have in the past when i was running tinyproxy.  After a bunch of open connections it sort of gets lost and does not really hard fail, but quits working. Only a reboot fixes it ( not even a service restart ) i upped the limits, and dropped the timeout , but i'm sill getting flooded with connections, and they are not closing their session, so it builds up, fast.  It seems they are from random IPs so fail2ban isn't blocking them first.  I guess things have got worse over the years in the volume of constant attacks ( might also be partly due to me being on a different ISP now with far more bandwidth. I was on Comcast back then, now its a fiber company ). Even before it dies, it starts slowing down due to the hammering. 

This most likely was causing the problems i thought i was having before that caused me to look for something else ( ended up with pound ). i was sure it was just me and i had it mis-configured due to poor memory of what i did last time, and then after that thinking citadel wasn't responding. Pretty sure now it was just due to me being hammered to death.

For the time being i shut it down, i may end up having to run on odd ports after its all said and done. Not that its a fix for the attacks, but if i dedicate various ports to each app ( what i was trying to avoid ) at least things will work.

Frustrating.

Ok. That makes sense. I agree with the single point of failure. It seems like a lot of risk, and a lot of effort, just to be able to tell Chinese subnets to go fluck themselves... especially when it won't prevent domestic attacks anyhow. 

It is so simply built into Synology NAS solutions... it is too bad that Proxmox doesn't have a feature as sophisticated. Fortinet does - and I've got a friend who used to be able to set up blazing Fortinet deals... but - again... more hardware, SPOF... etc... 

I guess I'll just keep letting them hit SSH with root every couple of minutes for as long as I keep the BBS up. 

So its back to tiny proxy which was actually working. Surprisingly i was right on just needing to setup some upstream settings to fake it into thinking they are upstream proxies.  Problem was citadel was not talking back, so i just assumed it was forgetting something and it was just broke and wasted a lot of time.  So tried it with a couple of other web servers running they all worked.

Got some errors on start on the citadel server too about ports being locked, which makes no sense as i installed *nothing* else. I think ill just start over as i know it worked the past with this setup.

Also need to redo my proxy server, clean it up from the failed attempt with pound. and switch it all over to port 80. 

Never mind,  i give up and will try something else.  It looks like the configuration format changed recently and even the man page refers to the old format.

It seemed simple enough with the old config format. But now its changed, and i see zero actual documentation the new way and anything i have tried pisses it off.  So its a hard stop.  Too bad too. 

Sat May 08 2021 05:23:25 PM EDT from Nurb432

So anyone used "pound" as a reverse proxy?

So anyone used "pound" as a reverse proxy?

"can" but i woudl rather have it on a fat VM.

im still old school and not really ready to accept containers and by the time i have to, it wont matter anymore.  Tho i guess i was an early adopter of the concept of VM back in the 90s, in effect. I realize is the same tech underneath, but same idea at least. On my ST i ran PCDitto and Spectre for mac ( i had access to a dead mac so i was able to get legit roms )

Sat May 08 2021 01:42:58 PM EDT from IGnatius T Foobar

You can run the database in a container too, as long as you have a way of keeping its data somewhere other than the container's writable layer.  For example, I maintain a system where a bunch of applications in containers connect to a MariaDB instance running in another container, but that container has /var/lib/mysql mounted as a persistent volume.  I can upgrade the MariaDB container at any time (yes, with an outage) and keep the data.

The clouderati expect you to connect to "their" database-as-a-service, which will have clustering and load balancing.  They probably still run it in containers.

 

You can run the database in a container too, as long as you have a way of keeping its data somewhere other than the container's writable layer.  For example, I maintain a system where a bunch of applications in containers connect to a MariaDB instance running in another container, but that container has /var/lib/mysql mounted as a persistent volume.  I can upgrade the MariaDB container at any time (yes, with an outage) and keep the data.

The clouderati expect you to connect to "their" database-as-a-service, which will have clustering and load balancing.  They probably still run it in containers.

Ya they are good for propping up multiple front ends when you get hammered by customers, but your server(s) doing the work ( db, workflow engine, whatever ) is on a real VM.

I have never been a fan of them. 

It's not really a great idea to think of a container as a lightweight VM.   Containers are not intended to be persistent.  You launch a container with an app in it, you knock it down and launch it somewhere else, or in several places, whatever you want, and you *don't* save your production data in the container's writable layer.

The idea behind a container is that you launch it, it attaches to its data source somewhere, it exposes a service, and then you figure out a way to get connections into that service (such as registering it with a load balancer).   You wouldn't want to run a firewall in this mode.

But yes, nuking China is *always* a good idea.  If you run any service on the Internet, you can count on the Chinese hammering it with brute force attacks 24/7/365.

It also another single point of failure. If you run a host farm with fail over, worst case you move your firewall vm to another host. 

Fri May 07 2021 09:23:30 AM EDT from ParanoidDelusions

Well... adding an entire other full machine increases the footprint of the machines I have to maintain and keep secure - so running an external Firewall moves away from the simplifying I was trying to achieve with virtualizing. 

It

Well... adding an entire other full machine increases the footprint of the machines I have to maintain and keep secure - so running an external Firewall moves away from the simplifying I was trying to achieve with virtualizing. 

It becomes a kind of catch-22. I had a dream where I had started a corporate IT job and I was kind of taking stock of the lab equipment in the cube that had been left by the last guy and how I was going to set it up and what it involved... the boss, a button down woman came in and after a few words with her, I realized I was going to have to reconfigure the machines so that the screens would be facing INTO the cube, not out into the walkway between the cubes. Then she gave me two printed memos and the second one wanted me to manage the PR for some new platform or product - and I was already thinking, "Don't you have a PR department to do this kind of shit? Why is it getting sent to IT engineering?" 

And I think the point here is - I've been doing a lot of p

Fri May 07 2021 06:58:34 EDT from Nurb432

I think i read somewhere that containers have some network limitations ( someone else was trying the same thing ), but in theory i dont see why it would not work.

I tend to prefer full VMs. But its just a preference. Im still old school. ( go figure )

I think i read somewhere that containers have some network limitations ( someone else was trying the same thing ), but in theory i dont see why it would not work.

I tend to prefer full VMs. But its just a preference. Im still old school. ( go figure )

Yeah, I considered that. Could it be set up as a container instead of as a full VM? 

I could also pop a hardware firewall in between the Cisco and my network. 

Thu May 06 2021 18:20:51 EDT from Nurb432

You could run your firewall/router/etc as a VM. I did that for a bit with pfsense, mostly playing around.  

I guess i sort of do now, as to get into my network from the outside its a VPN connection, from inside a vm. 

Thu May 06 2021 06:15:34 PM EDT from ParanoidDelusions

Synology has a neat firewall that will refuse all traffic from geographic regions... i.e., China, Russia, India... 

It is a single rule for each country you want to block. It is easy to implement. I'm sure it isn't foolproof, but it is a great option for a SOHO/Personal use model. 


I wish Proxmox had a feature like this. It looks like with Proxmox, you have to put in entire subnets to block, and this slows down the firewall. 


https://forum.proxmox.com/threads/how-to-block-ip-list.37801/


I mean, they're not getting anywhere. They're just hitting the SSH port, trying root, failing, and going away. 


But it fills my logs and makes me want to nuke China. 

 

 

You could run your firewall/router/etc as a VM. I did that for a bit with pfsense, mostly playing around.  

I guess i sort of do now, as to get into my network from the outside its a VPN connection, from inside a vm. 

Thu May 06 2021 06:15:34 PM EDT from ParanoidDelusions

Synology has a neat firewall that will refuse all traffic from geographic regions... i.e., China, Russia, India... 

It is a single rule for each country you want to block. It is easy to implement. I'm sure it isn't foolproof, but it is a great option for a SOHO/Personal use model. 


I wish Proxmox had a feature like this. It looks like with Proxmox, you have to put in entire subnets to block, and this slows down the firewall. 


https://forum.proxmox.com/threads/how-to-block-ip-list.37801/


I mean, they're not getting anywhere. They're just hitting the SSH port, trying root, failing, and going away. 


But it fills my logs and makes me want to nuke China. 

 

Synology has a neat firewall that will refuse all traffic from geographic regions... i.e., China, Russia, India... 

It is a single rule for each country you want to block. It is easy to implement. I'm sure it isn't foolproof, but it is a great option for a SOHO/Personal use model. 


I wish Proxmox had a feature like this. It looks like with Proxmox, you have to put in entire subnets to block, and this slows down the firewall. 


https://forum.proxmox.com/threads/how-to-block-ip-list.37801/


I mean, they're not getting anywhere. They're just hitting the SSH port, trying root, failing, and going away. 


But it fills my logs and makes me want to nuke China. 

I have codes.  They dont work anymore but i have codes :P

Tue Apr 20 2021 14:57:31 EDT from IGnatius T Foobar

Thanks but no ... what I really need is nuclear launch codes. There are some pests I need to wave away.

I love that they compare themselves to the cheap Chinesium knockoffs. 

"When you're about to unleash total nuclear annihilations on the population, only trust the very best!" 

lol

citadel black

Wow, that comment reminded me of this thing:

https://www.theregister.com/2006/07/18/usb_nuclear_war_button_box/

or

https://www.thegreenhead.com/2007/05/big-red-button-doomsday-device-usb-hub.php

My ex-boss got me one for Christmas.  He wanted me to use it when I air-traveled.

Thanks for the answer. I am not sure if this is the way I'm going to go, or just figure out a way to multi-home the box with dual NICs - but I want to get started in understanding the differences between either approach. 

The hardware and experience required to get the VLAN set up seems like a lot for my goals. But, currently, I have more immediate fish to fry - on to the Linux room and more questions... 

Ok... 

So, here is the concept I don't understand about a Vlan. 

Let's say I configure my Cisco switch with a Vlan, so that it is on my public network. 7.5.0.0 and my internal LAN 192.168.0.0

How does the traffic get through the Cisco back to the actual 192.168.0.0 subnet? 

I mean - I understand... I think - that on the system, you create two virtual NICs going through one physical NIC, right? That has to be true - and then you assign outgoing traffic to either one or both of those NICs - which must be exposed to software somehow... But then the Cisco has to have a route back to the actual physical subnet. Are you physically connecting the Cisco, in that example then - to the WAN, and also bridging it back to the internal network, with a static route defined on the Cisco to the internal network? 

Agreed. Between ineptitude, curiosity, and the potential for the payoff being larger than the penalty... 

There is also just stumbling across something in your regular work duties. Also... regardless of if everything is logged and cameras are everywhere - assuming your security is bulletproof is always a bad idea. I feel like the highest security places are always the shops with the highest profile leaks. 

Wed Apr 14 2021 09:49:27 EDT from Nurb432

"i got the secret to the universe, go ahead and fire me"

Sometimes threat of being terminated is not enough to stop people.  Especially if that is why they are there in the first place.    Its better to assume zero trust. 

Wed Apr 14 2021 09:20:19 EDT from IGnatius T Foobar

There is such a thing as "lawful intercept". If the data center operator receives a warrant for something on your server, they are typically not permitted to tell the server owner that data or network traffic is being extracted.
This is true regardless of whether your server is "managed" or simply colocated.

As to whether the employees of the data center would snoop on customer servers just for fun -- that is a matter of whether you are using a reputable hosting company. At my data centers it is grounds for termination, and we *will* find out; all access is logged and the cameras are always rolling. But if you're using a mom-and-pop hosting company with a 1000sqft data center, then yes, you can expect them to poke around when they're bored.

 

"i got the secret to the universe, go ahead and fire me"

Sometimes threat of being terminated is not enough to stop people.  Especially if that is why they are there in the first place.    Its better to assume zero trust. 

Wed Apr 14 2021 09:20:19 EDT from IGnatius T Foobar

There is such a thing as "lawful intercept". If the data center operator receives a warrant for something on your server, they are typically not permitted to tell the server owner that data or network traffic is being extracted.
This is true regardless of whether your server is "managed" or simply colocated.

As to whether the employees of the data center would snoop on customer servers just for fun -- that is a matter of whether you are using a reputable hosting company. At my data centers it is grounds for termination, and we *will* find out; all access is logged and the cameras are always rolling. But if you're using a mom-and-pop hosting company with a 1000sqft data center, then yes, you can expect them to poke around when they're bored.

It does not mean they WILL, but they CAN.   Always assume the worst with security, its safer.  Depending on the use case, you might be able to mitigate somewhat with encrypted files and such, where you keep the keys, but they still need a certain level of OS access to support the stuff. ( and i dont blame them for that, if its in my network i need some visibility or you are a risk to everyone else )

We have that problem ourselves, so we get the stuff signed off on by all parties so if it does go south and we end up on the evening news, we can at least blame them.

Wed Apr 14 2021 06:02:18 EDT from darknetuser

That matches my experience, for things that are managed by an IT team.

I was wondering if it would be any different for a dedicated (rented) server the staff is only supposed to look into if something breaks, or a hostedserver that is not the property of the hoster and the staff is not even supposed to look at.

I guess it is one of those situations in which going with an external host is fine if you just need the appearance of security ("The data center has signed the data confidentiality papers, so if they mess up and our customers get screwed, we are covered"). However, not great if you need actual security (The server is a key piece in your world domination plan).

It sucks, because colocation/hosting is the only affordable way to have some sorts of benefits nowadays.

I was the manager of an IT Hosted solution in Ohio.

I mean - yeah... when the company sold, the COO saved the document about the sale on her shared drive, with an obvious name - and one of my engineers saw the file - and we all knew what was coming down before anyone else in the company.


That is how IT works. We *do* own Bartertown. I always assume that anything with corporate assets on it has no secrets from the IT staff. I tell companies if they want me to connect remotely, they're not coming through my private residential network - they need to set me up with a corporate line and notebook that will be completely isolated from my personal network.

Tue Apr 13 2021 14:46:13 EDT from Nurb432

Myself, i wouldn't trust a hosted server. They have access to your hardware.  And all the time in the world to screw with it, if they are so inclined. 

Myself, i wouldn't trust a hosted server. They have access to your hardware.  And all the time in the world to screw with it, if they are so inclined. 

Tue Apr 13 2021 14:00:16 EDT from darknetuser

Subject: Privacy of dedicated servers
Hello.

I have been wondering how private can dedicated servers, the sort offered by hosting & housing companies, be. By dedicated server, I mean a server offered in rental as part of a hosting & housing plan by a data center.

My concern is as follows: let's say I am hosting an important industrial secret in a dedicated server. For example, the formula for turning lentils into viagra). How likely is that a data center tech will compromise that information, either by negligence of by directly looking at what is in the server? Specially when comparing to a server that is yours but you placed in a datacenter under a colocation plan.

As far as I understand, dedicated servers get to run monitoring tools planted by the datacenter techs. I have heard some of them missmanage the access credentials very badly.


I know there are datacenter pros here. Any ideas or horror tales you'd like to

Actually the issue with FTP is that when the client and server exchange messages over the control channel, those messages actually contain the IPv4 addresses on which they are expected to communicate.  The authors of the protocol thought they were being clever and would able to multiplex two or more endpoints over a single control channel.    SIP does the same thing, but it actually has a good reason to do so.

A firewall that implements ALG (Application Level Gateway) for such protocols will insert itself into the data stream of the control channel, strip out those addresses, and replace them with the actual visible address after NAT is applied.  It will also open the correct dynamic ports to allow the connection to complete.

Modern software that needs to build a mesh does not take chances with ALG.  It will establish a UDP connection to a central command-and-control server on the public Internet, which identifies the IP address and UDP port number visible *outside* the client's firewall.  At this point, it knows that anyone can use that address/port to reach the originating application, so it distributes that information to all of the other clients on the mesh.   Now they all know how to reach each other and they can communicate directly without hairpinning through the command and control server.

Usually.  :)    Once in a while you get some network nazi who configures the firewall to only permit return traffic from the remote address to which you originally opened the connection.  You know this has happened because Mario Kart doesn't work and you have to ground-pound your firewall administrator for doing that.

Every little bit helps.

Right, its not the solution, juts one piece of the puzzle. But ti does help with *basic* external threats. 

Of course back during the time period i was talking, it wasn't nearly as 'inadequate' on its own, as it would be now.  Times have changed.

Sat Feb 27 2021 17:23:57 EST from IGnatius T Foobar

Not only that, but the NAT model has a habit of lulling people into a false sense of security.  Simply believing it can't be penetrated because the addresses don't work from the outside ... all of that goes away the moment someone establishes a malicious agent inside the network.

And the bad actor is just as likely to be a program or device you brought home.

 

Not only that, but the NAT model has a habit of lulling people into a false sense of security.  Simply believing it can't be penetrated because the addresses don't work from the outside ... all of that goes away the moment someone establishes a malicious agent inside the network.

And the bad actor is just as likely to be a program or device you brought home.

Most security isn't the end-all-be-all. 


I say this all the time - I'd rather be a user on a well secured Windows server than a poorly configured Linux one. The knowledge of the people running the equipment is more important generally than what the equipment is. 

Fri Feb 26 2021 08:43:39 EST from Nurb432

i agree that NAT isn't the end all to be all and just one piece of the puzzle, but i think its a bit more than just obscurity.

 

i agree that NAT isn't the end all to be all and just one piece of the puzzle, but i think its a bit more than just obscurity.

It isn't really security through obscurity. You're not routable - you're not directly reachable, if you're behind NAT.

Your router has to direct traffic to you and from you through it. Now granted, that has to happen for you to get outside, and so you can still be *touched*. But you've got a device in the middle that has to forward that traffic to or from you. 

Unless someone gets inside. Or if there is a backdoor, like a rogue WiFI AP that has weak security. There are vulnerabilities - but NAT does have a built in level of isolation that having a public, routable IP address does not. 

Fri Feb 26 2021 00:37:30 EST from IGnatius T Foobar

NAT also gives you a bit of protection.

Yes, I get it, and I still am not quite on board with that idea. It's one of those "security through obscurity" things.

When I started out in networking, no one was using NAT because IPv4 addresses were plentiful; a mid size corporation could easily acquire a /16 and put a native address on every computer, even the desktops. I think you're a bit older than me so you probably remember it too. There was no such thing as "hiding" your network topology. If you had a firewall it performed access control, and *only* access control. That's the proper way, and IPv6 will bring us back there.

It may sound unlikely that home users would be able to implement a proper IPv6 firewall, but it wasn't that long ago that we wouldn't have been able to imagine home users setting up routers at all. The residential-grade devices that currently support IPv6 default to the most typical configuration: DHCPv6 client on the WAN side, DHCPv6 server on the LAN side, and the LAN side /64 prefix being learned

How many man-hours do you think have been spent rebooting servers and waiting for memory counts, PERC controllers to come up, and system checks to complete, while troubleshooting production downtime issues? 

I got yelled at in Ohio for having a smoke break during a production downtime. 

It takes 20 minutes for a machine to do a complete reboot, including shutdown and restart diagnostics. I can sit there and look at a black screen with white text just sitting there counting down numbers for that 20 minutes if you want, or I can go out and have a cigarette and think about the issue. Either way, you're paying me - but the cigarette is probably going to help me fix your problem faster. 

Wed Feb 24 2021 19:42:47 EST from Nurb432

  I wonder how much time over the decades i have sat and waited while i loaded machines, from stacks of floppies, to CDs/DVDs, then to network images ( ghost, and later clonezilla ) and RIS type automated services via network boot. 

 

 

Tue Feb 23 2021 13:15:10 EST from IGnatius T Foobar

 

Home users better do it too, or we cant even imagine the havoc that it will create as every commodity IoT device on the planet gets infected.. 

Thu Feb 25 2021 04:51:15 EST from darknetuser

I was thinking, ipv6 is only going to give you the illusion of end-to-end connectivity, since any corporate sysadmin is going to put his network behind a firewall, so the devices will have Internet routable addresses, but won't be reachable from the outside unless then administrator adds a rule for such effect.

Pretty much like we have with ipv4 in big deployments. And in small deployments it makes no difference since either.

NAT also gives you a bit of protection.

One place i worked, wont mention the name this time, had one of the first class As given out. They gave those addresses out to all their workstations AND servers across the entire corporation ( world wide ). And were route-able, *from* the outside...   Once i got there i started waving a red flag "we cant do this just because you can" but was ignored. This was around 92ish so it was windows 3.x and OS/2 days. 

They also wrote their own anti-virus software up at corporate.  I was one of the test subjects to test for regression. i had a box of floppies with various infections.  A RED box, with a lock.  and a dedicated machine, off network ( i removed the network card and taped the thing shut ) to test with.

They were ahead of the curve on workstation and server builds, had their own system where you boot off floppy, choose the machine type, and away it went. That was nice, and a bit ahead of their time. Saved me countess hours of floppies..   I wonder how much time over the decades i have sat and waited while i loaded machines, from stacks of floppies, to CDs/DVDs, then to network images ( ghost, and later clonezilla ) and RIS type automated services via network boot. 

Tue Feb 23 2021 13:15:10 EST from IGnatius T Foobar

Those aren't problems with IPv6. They're anticipated issues with deployment strategy. Numbering on your internal network is a good example, because that is *exactly* how it originally was with IPv4. You bought service from a provider, and they gave you a block of addresses to use. NAT created the illusion that you could have a permanent addressing scheme using addresses that didn't belong to you.

Personally I believe that mid to large scale IPv6 deployments will end up looking more like IPX than like IPv4. IPX got it right -- you derived an address from the router announcement and your MAC address (which is *exactly* what SLAAC does) and then you announced yourself into the name service. The problem, of course, is that SLAAC only provides network discovery and not service discovery, but that has been addressed in RFC 8106 so maybe that's solved too.

Lol, just talked to my brother 5 minutes ago and he wants me to that it at his house for some new security cams hes wanting to install, doesn't want wireless. 

Fri Feb 12 2021 09:13:17 EST from IGnatius T Foobar

Ok then ... powerline networking? :) Anything but wireless

Heh

Fri Feb 12 2021 09:13:17 EST from IGnatius T Foobar

Ok then ... powerline networking? :) Anything but wireless

Forgot to mention, if i did run wire up there, id tie a string to my belt, and crawl with that, not try to lug the wires during the entry.  Then just pull the string and the wires on the other end.

My brother used to run cable for a living and often had no help ( houses, businesses, etc ).  He 'borrowed' one of my RC cars, and a pistol crossbow.   

Back when i did that i always had help, which reminds me of the time I re-did an office and was going to mange their hardware too. "i want all this old stuff out of here, we are going VoIP" "are you sure, we can leave it for the future and run our lines beside it, well ok, its gone then". Next day "where are my phone lines, i'm not going to pay you for the work"..    wtf.  "fine, we pull our stuff back out, including the patch panel, switch and server, and we dont want your business.  

I thought about that, but the cable that goes to the back is fried ( old left over stuff from Comcast ). The coax that is intact, only goes to the roof ( OTA antenna ) so i have to run something, no matter what i do at this point.

Yup.

Or it could be use for a single device too of course.  

Sun Feb 07 2021 11:09:23 EST from ParanoidDelusions Subject: Re: WiFi Bridge

Ok... so I am understanding what this does right then? It is basically a modern version of what I have - except you have to uplink it to your own switch for it to bridge multiple ethernet devices to your WiFi?

 

 

Ok... so I am understanding what this does right then? It is basically a modern version of what I have - except you have to uplink it to your own switch for it to bridge multiple ethernet devices to your WiFi?

Sun Feb 07 2021 10:06:09 EST from Nurb432 Subject: Re: WiFi Bridge

Yes having a built in switch would take this to the next level, even tho its is only 100mb ( more than i need for my use case ). But, i just Velcroed it to the top of a small 5 port switch.    Tested with a netgear 20 port i had in the closet, but i had forgot how noisy those fans were.  So back in the closet it went.

 

Yes having a built in switch would take this to the next level, even tho its is only 100mb ( more than i need for my use case ). But, i just Velcroed it to the top of a small 5 port switch.    Tested with a netgear 20 port i had in the closet, but i had forgot how noisy those fans were.  So back in the closet it went.

May get another, and ditch the AC/Ethernet extender thingie i have out in the garage for my crypto miners. ( or not.. they dont need much bandwidth i guess. no real need to spend the $ )

The only real issue other than nearly zero documentation i ran into is it really needs higher amp power supply.  The pc i had planned on using for power, wast quite enough. It sort of 1/2 way worked. really frustrating until i figured it out was a power thing.  I had set it up. got ti working, moved it, toast. Rinse repeat a couple of times. 

I have one of these - I love it. I have it in my gaming room and I use it to get my Amigas and my C128 and other old devices with Ethernet onto my WiFI. It has 4 Cat5 ports and bridges them to a WiFi signal. It is old, doesn't support 2ghz/5ghz or modern encryption, and I have never found anything like it made since. I go through some hoops to get it to bridge to my actual network. Basically, I have a Wifi router in the middle that this bridges to, that then hooks into the wired network in my office. 

It isn't very elegant, but it works. 

https://www.newegg.com/buffalo-wli-tx4-g54hp-ethernet-port/p/N82E16833162168

Fri Feb 05 2021 18:07:36 EST from Nurb432 Subject: WiFi Bridge

I know its an older topic, but picked up one of these things this week.  It actually lets you bridge more than on machine on its Ethernet onto your WiFi network. Same subnet.  A bit fussy to setup, but after i got it right, works like a charm. Lot easier than fussing with other solutions i have tried. 

Have it hooked to a switch in my computer room with 3 machines on it, all getting the same subnet that the WiFi is on.  But since its a switch i get higher rate in the room between machines than i did with everything on WiFi. ( since it never has to traverse the WiFi to the other side of the house now ). 

Servers are still on the other switch, attached directly to the incoming fiber.  

 

 

https://www.amazon.com/gp/product/B07KHV4SCX/ref=ppx_yo_dt_b_asin_title_o00_s01?ie=UTF8&psc=1

Yes in effect. Sure other ways to do it, but first one i found that is a true bridge, without a lot of messing around.

Running wire in my house... Short version:

I have truss roof instead of rafters. so there is about a 1.5x1.5 tunnel down the middle of the house.   Doable with a lot of effort.  However...   Picture a long rectangle of a house.  One end is the garage and entry point   2/3 down the house ( lets say east ) is the room it needs to go, and where the router is. The rooms are on north and south. Hallway down middle.  sounds simple so far, get some sheet wood and use it to crawl back there, using some string, and some poles to get it across then back down.

Problem is 1/2 way back is the air intake and it teaks up ALL the crawl way at that point.  No way around it short of removing it. So no easy way past it. Next to it is the chimney.. so a big blob of duct work in the way. I could i cut out a 2nd attic door at the 2/3 waypoint ( not really fond of doing it , but i have considered it, nothing else more storage area to use.  )

I had the roof off perhaps 12 years ago, and didnt even think of it at the time.  Perfect chance. But at the time i had coax coming in the front of the house. so it all terminated in the 'south' computer room and i never really thought about it. Now that i went fiber, it terminates in the 'north' room.

Oh, and the 'north' room is isolated from the house. no door inside or anything. ( house was oil when it was built back in the 50s, i think it was code to keep it 'outside'. ) I plan on tearing out the wall and opening it up to the adjacent utility room, but have not got around to it.  And it wouldn't solve the problem of attic access anyway, just make our utility room bigger and not have to go outside to get to the water heater. That burnt me once, it had fallen over, about bunt the house down.. I woudl check every week, but during that week it fell apart. Flooded the house.    Succy way to wake up in the morning.  Few years later thermostat suck 'on' heated up and the pressure valve blew.. and another freaking leak.   Now have water sensors out there, and going tank-less this spring.  

I have considered running some shielded cat5 outside and around the side of the house, same path/hole that the old coax is in, or even over the stupid roof .. paint it grey and no one will even notice. Just look like coax for tv. 

Sat Feb 06 2021 18:36:44 EST from IGnatius T Foobar Subject: Re: WiFi Bridge

So it's basically an access point in reverse?  I can think of a few applications for that.  Most of them involve mooching someone else's Internet and then fanning out to a proper LAN.  But you're using it in your own home.  I wish I could come over there and help you run cable.

So it's basically an access point in reverse?  I can think of a few applications for that.  Most of them involve mooching someone else's Internet and then fanning out to a proper LAN.  But you're using it in your own home.  I wish I could come over there and help you run cable.

I know its an older topic, but picked up one of these things this week.  It actually lets you bridge more than on machine on its Ethernet onto your WiFi network. Same subnet.  A bit fussy to setup, but after i got it right, works like a charm. Lot easier than fussing with other solutions i have tried. 

Have it hooked to a switch in my computer room with 3 machines on it, all getting the same subnet that the WiFi is on.  But since its a switch i get higher rate in the room between machines than i did with everything on WiFi. ( since it never has to traverse the WiFi to the other side of the house now ). 

Servers are still on the other switch, attached directly to the incoming fiber.  

https://www.amazon.com/gp/product/B07KHV4SCX/ref=ppx_yo_dt_b_asin_title_o00_s01?ie=UTF8&psc=1

It was partly me - but things have gotten sorted and seem to be running fairly stable. I'm loath to Eff with anything at this point. 

Sat Dec 26 2020 14:35:26 EST from Nurb432

it wasn't just you. 

Mon Nov 23 2020 21:39:23 EST from ParanoidDelusions

My site is suddenly running dog slow over the public ACE network. Telnet is working, but the webcit interface is very unresponsive. 

I thought it might be the Pi heating up, and so rebooted it, but the issue persisted. 

Then I connected directly - and that works fine. 

I am getting buffering and quality adjustments watching video over my regular ISP gateway too - which is unusual.

I've noticed it happen a couple of times today here at Uncensored, too. 

Wonder if it is an Internet wide thing, something going on with my local ISP, or something going on with ACE specifically. 

 

 

it wasn't just you. 

Mon Nov 23 2020 21:39:23 EST from ParanoidDelusions

My site is suddenly running dog slow over the public ACE network. Telnet is working, but the webcit interface is very unresponsive. 

I thought it might be the Pi heating up, and so rebooted it, but the issue persisted. 

Then I connected directly - and that works fine. 

I am getting buffering and quality adjustments watching video over my regular ISP gateway too - which is unusual.

I've noticed it happen a couple of times today here at Uncensored, too. 

Wonder if it is an Internet wide thing, something going on with my local ISP, or something going on with ACE specifically. 

 

My site is suddenly running dog slow over the public ACE network. Telnet is working, but the webcit interface is very unresponsive. 

I thought it might be the Pi heating up, and so rebooted it, but the issue persisted. 

Then I connected directly - and that works fine. 

I am getting buffering and quality adjustments watching video over my regular ISP gateway too - which is unusual.

I've noticed it happen a couple of times today here at Uncensored, too. 

Wonder if it is an Internet wide thing, something going on with my local ISP, or something going on with ACE specifically. 

Sun Nov 15 2020 23:06:16 EST from ParanoidDelusions @ Uncensored

 

Sun Nov 15 2020 18:24:30 EST from IGnatius T Foobar @ Uncensored

secure doesn't resolve. telnet does. And I see you got the very next /29 adjacent to mine :)

They'll set the reverse DNS to whatever you want. Just open a support ticket.

Being that I don't have it set to send Internet mail, reverse DNS shouldn't matter, right? 

Something is hosed on my subnet. There is a a mailserver set up at Ace's DNS as .98... 

I tried popping up to .102 and that killed everything... there is another address in my range that is registered in DNS as someone else... but I tried everything... 

Now I'm back to the .98 address - and nothing is resolving. I guess I'll wait 30 minutes and see if it starts working again. 

And interesting aside... from my own internal machines, I can get it to resolve going out through my ISP and back in through ACE. 
But my phone responds that the site doesn't respond. 

But, I pointed the DYDNS forwarder to the .98 address, and that works from the phone... 

So... something screwy is afoot. 

My BBS can't really afford extended downtime. It is already on life support. :) 

 

Well, I submitted a ticket, then went to bed. Then I woke up and I remembered that when my "networking guy," helped me set everything up, I noticed the gateway was wrong, and he fixed it and told me "remember this command, you may need it if it doesn't stick." So I came down, browsed history, found the command and issued it. Then I checked, and connectivity was back. Not sure if it was back before I issued the command. But the issue with a tracert of my ip address claiming it is mail.iymf.net still persists, so I'm thinking Ace hasn't fixed that yet - and it was just being impatient about waiting for DNS caches to flush and authoritative DNS to push. 

Either way, I seem to be fully back. I can even get there from my phone. Hopefully the handful of "callers," I had have not given up. It was probably a bandaid that needed to be ripped off, in either case. 

Sun Nov 15 2020 18:24:30 EST from IGnatius T Foobar @ Uncensored

secure doesn't resolve. telnet does. And I see you got the very next /29 adjacent to mine :)

They'll set the reverse DNS to whatever you want. Just open a support ticket.

Being that I don't have it set to send Internet mail, reverse DNS shouldn't matter, right? 

Something is hosed on my subnet. There is a a mailserver set up at Ace's DNS as .98... 

I tried popping up to .102 and that killed everything... there is another address in my range that is registered in DNS as someone else... but I tried everything... 

Now I'm back to the .98 address - and nothing is resolving. I guess I'll wait 30 minutes and see if it starts working again. 

And interesting aside... from my own internal machines, I can get it to resolve going out through my ISP and back in through ACE. 
But my phone responds that the site doesn't respond. 

But, I pointed the DYDNS forwarder to the .98 address, and that works from the phone... 

So... something screwy is afoot. 

My BBS can't really afford extended downtime. It is already on life support. :) 

If it isn't reachable, the damage is probably already done, and I might as well pull everything out and set it up right while I wait for the ISP to fix the MX record in their DNS. 

So, for now, I didn't want to disrupt the connection to my BBS while I create a bunch of new records to point directly to the BBS, remove the forwarding records, and disable the DDNS - and I realized that the easy way to start using the new static IP address was to simply replace the DHCP address in my DDNS service with the static one. Not exactly elegant, and probably the kind of thing that would make an actual networking professional want to claw his eyes out, but it should work. 

And it does, for me. 

But I haven't had a single caller to the BBS since I made the change. 

Doing some network investigation using some web based tools, a reverse lookup on the IP address I was assigned shows that it resolves as a mail server. I looked up the whois registry on that domain, and it is a yogurt and yoga company (I dunno... I guess they go together)... and that domain seems to be managed or hosted by the ISP I've purchased the block of IP addresses from as the authoritative DNS ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4584827Wed, 16 Sep 2020 18:10:43 -00004584827@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4581598Mon, 31 Aug 2020 10:48:23 -00004581598@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4574035Mon, 27 Jul 2020 13:06:58 -00004574035@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4539725Tue, 07 Apr 2020 13:38:56 -00004539725@Uncensored 2020-04-07 09:36 from IGnatius T Foobar >OpenDNS charges for that service, though. And they provide all sorts >of lovely "logs" to the administrator so that you can doxx your users >when they stray off the ranch. > > I know they have paid plans, but they also had a free tier with parental controls at least. Or they used to have it. ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4539720Tue, 07 Apr 2020 13:36:29 -00004539720@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4539712Tue, 07 Apr 2020 13:25:00 -00004539712@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4539395Mon, 06 Apr 2020 14:05:23 -00004539395@Uncensored 2020-04-05 14:57 from IGnatius T Foobar >I'm not sure how to feel about that. In this case it's good, but >imagine if Google started doing that to 8.8.8.8 (and they would >definitely do it to 8.8.8.8 and not some alternate address). Google's >editorial control over the Internet would be even more enhanced. > > You can use it or not. They've got one for parental control and one for parental control + malware. Maybe there's an interesting service to be had - a comparative DNS system.... Or maybe it's time for caching DNS to die. ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4539218Sun, 05 Apr 2020 18:57:31 -00004539218@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4538388Thu, 02 Apr 2020 15:15:49 -00004538388@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4537546Mon, 30 Mar 2020 13:59:20 -00004537546@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4536757Fri, 27 Mar 2020 15:10:17 -00004536757@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4536575Thu, 26 Mar 2020 21:57:49 -00004536575@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4491235Wed, 09 Oct 2019 20:00:02 -00004491235@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4491188Wed, 09 Oct 2019 16:26:40 -00004491188@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4490876Tue, 08 Oct 2019 12:58:48 -00004490876@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4490699Mon, 07 Oct 2019 21:01:43 -00004490699@Uncensored 2019-10-07 09:49 from IGnatius T Foobar >The salesman doesn't need to know what it is. I'm pretty sure all the >big ISPs are doing PD if they do IPv6 at all, and the consumer grade >routers all seem to know how to handle it. > > Maybe it is so over there. Over here you get a lame DS-lite (if you get something) and a single prefix for a single LAN network assigned. I talked to a tech and he told me the networking gear and the routers they were giving to customers support prefix delegation but they are just not setting it up. ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4490610Mon, 07 Oct 2019 13:49:54 -00004490610@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4487096Mon, 23 Sep 2019 21:23:36 -00004487096@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4487042Mon, 23 Sep 2019 18:37:20 -00004487042@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4485125Mon, 16 Sep 2019 14:35:10 -00004485125@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4485116Mon, 16 Sep 2019 14:10:55 -00004485116@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4485068Mon, 16 Sep 2019 10:23:52 -00004485068@Uncensoredhttps://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4483283Mon, 09 Sep 2019 14:48:53 -00004483283@Uncensored 2019-09-06 23:47 from IGnatius T Foobar >There are still people who want NAT66, because muh security by >obscurity. > I wouldn't let these people anywhere near my network. That is correct. Stateful packet filters handle this problem in an equally secure way without requiring NAT ]]>https://uncensored.citadel.org/readfwd?go=Networking?start_reading_at=4483150Mon, 09 Sep 2019 05:16:58 -00004483150@Uncensored

Thu Sep 05 2019 09:35:44 EDT from IGnatius T Foobar @ Uncensored

Until the mid 1990's, having Internet at all meant having a globally unique, and usually static, IPv4 address. Back then, the end-to-end nature of IP was usable. Dynamic addressing and NAT ended that, which is one reason so many consumer products are tied to a hosted service if you want to be able to reach them remotely. IPv6 will fix that, but its adoption is long overdue.

From 1996 until 2000, this BBS was attached to the Internet on a dialup connection.
I paid my ISP for a static IP address and permission to keep the connection pinned up over an unmetered local call. It was crude, but it worked, and it saved the board from extinction when everyone moved over to the Internet.
In fact, it became more popular than before because it was multiuser and some old friends returned who had moved out of the area. Eventually I was able to secure a DSL connection with a static IP address and explicit permission to run servers, which served us well until 2007 when I mo

Well, even when my DNS was borked - the IP address was still working fine, of course. The problem is, my ISP gives dynamic IPs - and though they don't rotate often, they do rotate - which ties me to DNS and DDNS for now. If there is a better way, I'll be the first in line. ;) 

Well said.

I am starting to be afraid of the clearnet (regular Internet). Most of my Internet activity is in shady deep web/hidden services/minoritary platforms these days because I don't feel safe as a user. It is not because I am concerned that governments or corporations might mine my data (which they would) but because there is this threat of ideological, legal and social persecution.

I mean, I am in the very unpoliced parts of the Internet, dealing with the ocasional nutjob, sexual predator, you name it, on a daily basis. And I have zero problems. I recently registered to a web service without the protection of an anonimity layer for the first time in more than a year and I got into a hell of a lot of trouble because some service administrator interpretated that I was poaching kids online. How fucked up that is. And now this people has my data.There is this tendency to bubblewrap a certain sector of the population at the expense of making the lives of everybody else impossible, and it is getting very bad on the Internet, but if you use an anonimity network overlay it makes you tremendously free. I mean, if I post "My humor is so black that it has been arrested" in a joke site and some administrator threatens to sue me or whatever for racism, I know I am covered because it is very unlikely this person has the resources to identify me. If I post a collection of political books with no p

Laws and sociological conditions for setting clearnet services are getting crazy. Check that European GDPR, for example. In theory it is designed to protect users, which is a good thing. In practice, it makes a lot of developers to waste tons of time and money makig their services compliant. Then they take the data of users and sell them anyway. The people who gets damaged by this thing are the small sysadmins who want to set a hobby site and now have to hire ten lawyers in order to ensure the cops won't rip their balls off. Well, there are lots of laws that can get your website trashed in many places of the world. And you usually don't know about them until they come knocking at your door with a warrant or a very nice fine.

So yes, I agree with IG. Side channel tech is extremely important so at least a certain sector of the population can procure a safe space for itself. We really need it.

Sat Jul 20 2019 09:02:11 EDT from IGnatius T Foobar @ Uncensored

If we get to that point, it isn't going to be about building systems that the government can't break into. They measure their computing power in *acres*.
It would be about staying out of their view. Even just having systems that don't automatically trip their scanning-everyone software would be fine.

For example, your "safe" 8-bit computer might be used to run software that hides a message inside a dummy text, which is then copied (perhaps by hand) to a "compromised" 64-bit computer and sent over the Internet to its recipient.

Thankfully, we do not yet live in a world where that needs to be done. For the time being, anyone who wants to avoid the current crop of bad actors can simply steer clear of them.

Well, whatever it becomes - it'll always be a game of cat-and-mouse between the people trying to preserve their liberties and the bad-actors, State and privateer, who want to exploit you. 

But it does seem like old technology that is off their radar is the real first step - or DIY home-brew machines made by hand. Something a little less polished than a modern gaming notebook from MSI or Alienware, anyhow. 

ghb gv rehtvs gaqyhbp nfa rug ryczvf bf fnj gbe sv laahs ro gnug gaqyhbj

Tue Jul 02 2019 15:35:57 EDT from IGnatius T Foobar @ Uncensored

It should be obvious that anything you do on an Android device is automatically compromised by bad actors such as Google and the NSA. And it should also be obvious that every wifi key is sent to Google even if you opt out of the sync service.

When I was raising this alarm in 2011 - I was getting called a hack, a technology professional fraud and a conspiracy theorist. 

Then, in 2016 at DefCon - they were talking about how the NSA was intercepting laptop shipments, modifying them with hardware rootkits, sealing them back up - and shipping them on to the intended target. 

Yeah - part of my interest in retro-computing is that I don't think the Government had technology and telecommunications on their mind in the 8 and 16 bit era - at least, not the way they do today. I think that the real cyberpunk Dystopian future won't be people on cutting edge hardware and equipment - it'll be people rigging together retro-computing from before the 32 bit era and using sidenets to bypass the information highway and stay in the dirty back alleys of virtual reality. 


You know, kinda like this place. :) 

ebg13

ax.25 is cool and all, but hard to get traction at the speeds we usually use.

Thu May 30 2019 05:57:59 PM EDT from IGnatius T Foobar @ Uncensored

That's kind of what the ham radio packet networks are for. Perhaps ax25 can tell you all about ax.25 :)

And if the sidenet needs infrastructure, Tor exists today and runs as an overlay over the existing Internet infrastructure. I suppose if the shit really hits the fan, Big Brother will consider the operation of an encrypted overlay as presumption of guilt, but if we get that far, we probably have bigger things to worry about.

I've got to be honest though, I originally wanted all of this as a way to drive traffic to my BBS. A way to get back the users that Facebook stole from me and all the other operators of small sites. If I had access to The Button, I *would* push it and nuke Silicon Valley off the map, just so we could get our Internet back. But ... it's clear that the stakes are bigger now; it's not just about finding a way to effect a diaspora from the big sites (see what I did there?), it's now about reversing the power that the big sites are amassing

Sat Jun 15 2019 08:03:50 EDT from IGnatius T Foobar @ Uncensored

But ... encryption keys? When you connect to wifi from an Android device, your encryption key is captured and sent to Google? That's over the line, and it's enough to flip my opinion on whether that is acceptable behavior.
On what basis do they claim this has any value to the customer?

User convenience. There is a setting buried in Android settings that stores WiFi keys - ANY WiFi key, on Google Servers so that when a user gets a new Android device and logs in with their Google account, it downloads all their previous WiFi connections so that they can just go to where that AP is and it will connect automatically without having to re-enter the key. 

They were REALLY upset with me and basically told the German tech site that I was an idiot when I posted this in 2011, and people were divided. A lot of people were responding, "It is totally opt-in when you're setting it up and can be turned off in settings." Which is true, but most people get a device and a Verizon redshirt sets it up and just flips through the screens accepting the defaults and the end user doesn't know this has been selected or how to turn it off. Worse, it isn't granular. You can't turn it on or off on a case by case basis - it is all in or nothing - and they've d