• 0 Posts
  • 23 Comments
Joined 1 year ago
cake
Cake day: August 8th, 2023

help-circle


  • A lot of negativity around Ubiquity in here, which is surprising to me, honestly. I had their USG for years and loved it, recently swapped it out for the Dream Machine and love it. Really don’t understand the complaints about linking it to the cloud. I just didn’t bother, everything works fine. Additionally, I managed to get a Debian container running on it and installed ntopng, it’s been awesome for getting realtime visibility into my network traffic.

    E. I should add I have 6 of their switches and 3 access points, one of which is at least 7 years old and still receiving updates.




  • You aren’t wrong, per se, I think you just don’t fully grasp the attack vector. This is related to DHCP option 121, which allows routes to be fed to the client when issuing the ip address required for VPN connectivity. Using this option, they can send you a preferred default route as part of the DHCP response that causes the client to route traffic out of the tunnel without them knowing.

    E. It would likely only be select traffic routing out of the tunnel. I could, for example, send you routes so that all traffic destined for Chase Bank ip addresses comes back to me instead of traversing the tunnel. Much harder to detect.





  • It probably has to do with being native ipv6 and needing to ride a 6to4 nat to reach the broader internet.

    Start at 1400 and walk the MTU down by ~50 until you find stability, then id creep it back up by 10 to find the ‘perfect’ size, but that part isn’t really needed if you’re impatient. :)

    E. I found 1290 was needed for reliable VPN over an ATT nighthawk hotspot.




  • For what it’s worth, I did specifically say ecosystem because the TPM is just one component, which is required to authenticate the remote wipe. Also the drivers are installed automatically with most modern operating systems, it’s not like you install your own south bridge driver, for example. Linux of course notwithstanding.

    I’ve seen it used successfully numerous times. Someone steals one of our laptops, rips the drive out, installs vanilla windows, and boom it reboots and performs a wipe.

    Regardless, system-on-a-chip are just that, systems; they can absolutely make remote calls without user interaction, just as intimated by the comment you originally replied to.



  • Yeah, if you use your own password cipher, you never have to memorize a password again. Just derive it based on some common input value, like the company name or url. Makes password rotation tricky, though, and it’s a pain when a website won’t allow a special character you generally use, creating “one offs” that are hard to track.



  • I hope I don’t get flayed for saying this, but I actually had this problem on Windows once, and it turned out to be thermal throttling of the CPU. I was going from 4+ghz to around 200mhz and then it would shoot back to normal. Just needed a thorough cleaning of the fans and ducting.

    Thought it was worth mentioning on the off chance it might help someone.