Back in my day, and to this day, Microsoft offers such huge discounts in academia on licensing, and recruit so many students from university, I never saw anything but MS.

I’m glad we are at least in an age that there’s alternative to Microsoft in the free and open source space for individuals even when school goes down their path.

Without Carlos driving at his peak, Ferrari will not be able to guarantee second in constructors let alone challenge for first as perez continues to contribute nada to red bull. I’d imagine they’d like to continue to be second and specifically ahead of maclaren. To do that they’ll need him to be motivated to be a driver and I don’t know much about him but if I’ve seen anything from the races, it’s that he’s motivated by personal achievements.

Either way double Ferrari dnf from infighting entertains me greatly. :)

One rich company trying to claim money off the other rich companies using its software. The ROI on enforcing these will come from only those that really should have afforded to pay and if they can’t, shouldn’t have built on the framework. Let them duke it out. I have zero empathy for either side.

The hopeful other side is with a “budget” for the license, a company can consider using that to weigh up open source contributions and expertise. Allowing those projects to have experts who have income. Even if it’s only a few companies that then hire for that role of porting over, and contributing back to include needed features, more of that helps everyone.

The same happens in security, there used to be no budget for it, it was a cost centre. But then insurance providers wouldn’t provide cyber insurance without meeting minimum standards (after they lost billions) and now companies suddenly have a budget. Security is thriving.

When companies value something, because they need to weigh opportunity cost, they’ll find money.

Same, I need too much mental space for it, it’s so engaging that I want to actually have the room to enjoy it. When I do I love it, but when I don’t I kind of don’t want to disrespect it and my enjoyment of it with a half attentive state.

Hold them all to account, no single points of failure. Make them all responsible.

When talking about vscode especially, those users aren’t your mum and dad. They’re technology professionals or enthusiasts.

With respect to vendors (Microsoft) for too long have they lived off an expectation that its always a end user or publisher responsibility, not theirs when they’re offering a brokering (store or whatever) service. They’ve tried using words like ‘custodian’ when they took the service to further detract from responsibility and fault.

Vendors of routers and firewalls and other network connected IoT for the consumer space now are being legislatively enforced to start adhering to bare minimum responsible practices such as ‘push to change’ configuration updates and automated security firmware updates, of and the long awaited mandatory random password with reset on first configuration (no more admin/Admin).

Is clear this burden will cost those providers. Good. Just like we should take a stance against polluters freely polluting, so too should we make providers take responsibility for reasonable security defaults instead of making the world less secure.

That then makes it even more the users responsibility to be responsible for what they then do insecurely since security should be the default by design. Going outside of those bounds are at your own risk.

Right now it’s a wild West, and telling what is and isn’t secure would be a roll of the dice since it’s just users telling users that they think it’s fine. Are you supposed to just trust a publisher? But what if they act in bad faith? That problem needs solving. Once an app/plugin/device has millions of people using it, it’s reputation is publicly seen as ok even if completely undeserved.

Hmm rant over. I got a bit worked up.

Tailscale can act as a site to site vpn, but it’s best used as a meshvpn imo with as many things as possible in it.

Why? Because the dynamic dns is so powerful. Every host name automatically is in every other tailscale joined computer automatically. My NAS (Truenas in my case) is just “nas” so to access it it’s just https://nas. Same with my rustdesk server on https://rustdesk. Jellyfin? You guessed it: https://jellyfin.

Why is this cool? I moved my box between other networks and it just works again. No ips changed.

I take it to work. It just works. I keep one server at my parents place? It just works.

But my printer doesn’t have the ability to join the tailnet so I use subnet routing to create a node on that network to act as a NAT router to get to and from that printer.

You can even define exit nodes so if I install tailscale on my parents TV in another state, they can exit their internet via my home which has my IP and therefore Netflix counts it as inside my residence.

Anyway just some considerations. I generally use the subnet routing as a last resort. My 3 node proxmox cluster is all joined and if I took a node to my parents it would literally just work, if slower, as a cluster member. Crazy. Very cool

I’ve used virtio for Nutanix before and not using open speed test, but instead using iperf, gathered line rate across hosts.

However I also know network cards matter a lot. Some network cards, especially cheap Intel x710 suck. They don’t have specific compute offloading that can be done so the CPU does all the work and the host cpu itself processes network traffic significantly slowing throughput.

My change to mellanox 25g cards showed all vm network performance increase to the expected line rate even on same host.

That was not a home lab though, that was production at a client.

Edit sorry I meant to wrap up:

• to test use iperf (you could use UDP at 10Gbit and run it continuous, in UDP mode you need to set the size you try to send)
• while testing look for CPU on the host

If you want to exclude proxmox you could attempt to live boot another usb Linux and test iperf over the lan to another device.

Are you trying to use kiosk mode in a way that was never intended? Kiosks being public use terminals like in retail or used for search only terminals at public places?

This sounds like an XY problem to me intuitively since your use case wouldn’t naturally match a kiosk situation.

That’s so cool

I have a feeling it did because I remember watching early rtsp multicast streams of the anime initial D found through winamp in like 1999 at 240p. It’s so long ago that I’m not even sure that’s a correct memory.

The Nintendo lawyers are full time, this is just a Thursday to them. You’re keeping those lawyers employed by giving them work.

I’m not going to argue strongly for this, but there’s a certain irony that if the defender suite (defender for identity, defender for cloud apps, fervently for office, and defender for endpoint) was instantly unlocked in their plan 2 version for every subscriber for free, that would kill a huge segment of the security market including some of the industry leaders like SentinelOne huntress labs, and even SEIM providers like splunk and Arctic wolf and dozens more. The XDR and identity management industry would instantly be forced into an anti competitive environment.

There’s an argument for ‘but if they built it secure, then you wouldn’t need to bolt on detections’. I think a relevant metaphor is you buy a house, but then you add detection like cameras and intrusion detection. Make sure the locks on the doors and windows aren’t bypassed.

So I would think there is some nuance. And frankly for small business the cost for m365 business premium which has all of that, including a bunch of information protection and data loss prevention. You just actually have more of a configuration requirement that nearly none of my customers I onboard ever have done…

Ok so you may need to translate a few things.

Routers gateway networks. Networks are extended physically by Ethernet. The ether in Ethernet is basically “to the network it doesn’t matter the medium” and in days past that was coax, or whatever Cabling you had but today is almost exclusively in a house, fibre, WiFi, and cat[5/6/7].

Why does this matter? The router is the pivot between networks. Wireless access points are just part of the network.

A wireless router is a device with two functions!

Ok so how does a router work? When you buy a home grade router like an Asus or netgear, you get a device which has a single routing statement “0.0.0.0/0 via connected interface WAN”. This works on almost everyones home network because they only have a single network.

A local network doesn’t need a router to talk, you only talk when you need to talk to something on another network. Your devices automatically broadcast to every other device on connection or device start up “I’m [mac address] with ip [ip] can you introduce yourself?” and everyone who is online responds back not in broadcast, but unicast directly to that device about their mac address. Your device stores that info in a Mac address table with time outs. This applies to the router too, it knows all the ip addresses on the LAN interface.

Ok now we want to add a second home network to segment IoT away from your highly personal devices with all your personal information. Good idea! So to do that on any “fully fledged” router it’s super easy you would connect a cable to LAN2 plan a second IP subnet and connect a switch or AP to that. The router is now a router for network LAN1 and LAN2. If a device needs to get from LAN1 it goes “this IP isn’t in my subnet therefore I will send it to the router”. It will have no idea if the device is online or offline, it just sends it blindly to the router. Your router gets that IP and now looks at its routing table which now looks like this,for example:

• 192.168.0.0/24 via connected interface LAN1
• 192.168.1.0/24 via connected interface LAN2
• 0.0.0.0/0 via connected interface WAN

So now the router who knows you tried to get to a device within LAN2 from LAN1 will check the mac address table it has for LAN2 and see if there’s a mac address it’s learned from that device connection. If it does it sends the packet on back unmodified. The packet has return address information saying who sent it, and the IoT device can talk back.

Wonderful, that’s the most simplest type of multi-lan network you can create. There are no virtual lans and everyone expects networks to mostly work this way. This exact principle is how the rest of the whole internet works. What networks are via what interface and a traceroute will tell you the resulting path. A router doesn’t need to know the destination just the next network.

One last note on the background info, if you don’t want to setup everything with static IP addresses, you’ll setup a DHCP server which gives out IP details to devices via a lease system, and included can be DNS settings. You must have a dhcp service within a local network. That can be on the router on the LAN1 interface, and another DHCP server with different details on LAN2.

To apply this to your problem, I think you’ll want to review the features of your two WiFi routers that you have. Many home routers do not support two discrete LAN interfaces. If they have 4 LAN ports they could be already configured as a “bridge” which is to say they’re a switch. They’re all grouped all belonging to LAN1. Check to see if you can remove one from the bridge. BTW the WiFi is usually part of this bridge too.

If I had to guess the Asus router is likely more featured and more likely to have the ability to create a new network on a different interface.

The simplest design will be to have your one router be the router for both networks. One wireless router has the router function disabled and becomes a wireless access point connected to LAN2. The router will know all connected networks (WAN/LAN1MLAN2). You won’t even need to write in your own route.

But if this is not possible, it is still possible to use NAT. network address translation is a technology for a router to re-write the “return address” on every packet it sends. The return address becomes the routers WAN interface IP. Your network already has NAT because your LAN IP would send to an external network like “1.1.1.1” and if your return l address was “192.168.0.2” then 1.1.1.1 wouldn’t know how to get back to you since your IP is used on millions of home private networks. Instead your router uses NAT to keep a table of every single connection to the internet and waits for replies and redirects them back to the right device. It replaces the source address with your ISP assigned public IP. So 1.1.1.1 could have got a return address of 12.23.34.45 your home internet ip.

But this can work on your home network but there’s limitations. Just 1.1.1.1 can’t randomly reach back out to the original device ever. Only your device can ask 1.1.1.1. If 1.1.1.1 tried to reach back to your public IP the router has no NAT entry for this, and drops the connection.

Do let’s take the real possibility that you can’t setup two LAN interfaces on your home grade routers. What would you do? Instead could have a second wireless router with NAT enabled (which it is by default). Your second wireless router could broadcast a different SSID and it’s network ip subnet address should be different to your home network IP subnet address. So if your home is 192.168.0.0/24 your IOT could be 192.168.1.0/24. Your WAN interface should be setup static on an address that does not conflict with your DHCP scope. Or if it does, go to the dhcp server and reserve it. It should be an ip that doesn’t change and can’t accidentally be given to another device thereby giving you IP conflicts.

So then your IoT devices now will get that 192.168.1.2+ address and reach to your IOT router to get out of their network. Now this does allow them to talk to your home network devices on 192.168.0.0/24. But the downside is your home lan devices by default can not talk to your IOT devices. This is kind of the reverse of what you want from a security perspective. To configure your IOT you’ll need to join the IOT WIFI. Why is this? If you on your home network connected device on 192.168.0.1/24 try to go to the IOT network device on 192.168.1.0/24, then the home device first notes that the network is not local, so it will send the request to the configured gateway. Your home gateway has no idea where 192.168.1.0/24 is either. So it goes out to the 0.0.0.0/0 route which is to your ISPs router.

I’m sure you’ll think: if this is backwards why not flip my home network behind my second NAT router? And the answer is NAT isn’t free, and you’ll probably have heard CGNAT or carrier grade NAT making a mess of games and services. Double NAT has problems too.

So what about dhcp and dns? The simple answer is the IOT router becomes a dhcp server and offers your IOT pihole for DNS. Your home network shouldn’t need touching

There are ways to band-aid these two networks. If you know your home router has a proper route table you can modify that. remember you setup the IoT router with a static IP? Well here’s why. If you setup a route statement 192.168.1.0/24 via IP 192.168.0.251 (whatever IP is the IoT router) then now your home router can find and redirect traffic. This still occasionally has issues though and this routing statement can create a triangle route which would take a long time to explain, and secondly a fix for that can be more NAT more translation so we can return communication from the same way, but the branching possibilities are still not fully defined. Alternative fixes are on your local computer add a single routing statement to find 192.168.1.0/24 via 192.168.0.251 (or whatever IoT router ip you assigned).

Now my suggestion: get a router which handles two local networks. Then you’re topology is pretty much the simplest, easiest to troubleshoot later, avoid Nat.

Yep though I’m a sysadmin and can feel for that, these consolidated platforms are being used as a straight “you trust this, when I infect you, I’ll use payloads I’ll temporarily host in github because you adjust already block overseas by default expect a bunch of whitelist trusted domains.”.

https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/

It’s technically easy to allow a subdomain, but it’s really hard to unblock just a path.

So yeah, what generally happens is the SOC team complains that the new threat is here, and either vendors (had this with fortinet) move the risk rating of github from a 3.5 to a 6 out of 10, I had put the threshold at a default 5, and now it’s being blocked. I wonder why it wasn’t blocked before, well it wasn’t as risky last week as it is now.

Anyway just thought I’d share the IT sysadmin POV.

More to point, using security as an example, we use SentinelOne and azure sentinel. I’ve had a ‘I want to compare crowdstrike and huntress labs’ because I’ve seen really good things with those xdr seim tools. But I got shot down. Why? We can’t deviate our standards. Well, how will we know if the competition is better? Is our choice good? Who knows.

I still don’t know. I sleep easy knowing it’s not my burden though. It’s their fault if they get compromised on an attack that the other vendor would stop.

Penny drop moment of “oh right we have to look at the competing engines to see our own weakness”? Frankly it should be obvious.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

For me it raises really a odd question about their culture too, since only after inshin’s remaster did they add a policy to review developer tools and technology, in a development company.

I’m trying to not read into it any more than that but I can’t help but imagine there were board meetings beforehand going ‘guys our team want to try using unreal’ and some exec going ‘no it’s banned we only use our own propriety code or else we’ll lose our brand and be washed out! All other engines are banned!’.

The messaging around this so far doesn’t lead me to want to follow the fork on production. As a sysadmin I’m not rushing out to swap my reverse proxy.

The problem is I’m speculating but it seems like the developer was only continuing to develop under condition that they continued control over the nginx decision making.

So currently it looks like from a user of nginx, the cve registration is protecting me with open communication. From a security aspect, a security researcher probably needs that cve to count as a bug bounty.

From the developers perspective, f5 broke the pact of decision control being with the developer. But for me, I would rather it be registered and I’m informed even if I know my configuration doesn’t use it.

Again, assuming a lot here. But I agree with f5. That feature even beta could be in a dev or test environment. That’s enough reason to know.

Edit:Long term, I don’t know where I’ll land. Personally I’d rather be with the developer, except I need to trust that the solution is open not in source, but in communication. It’s a weird situation.

Although that might be true, the moment the ‘friend’ gave away his account recovery answers to the phisher I think he would have been compromised either way. It was likely that the phisher was in real time actioning a account recovery, and using the friend as the proxy to give answers to the prompts. Plus since it’s already second hand info we can’t tell, but if the phisher simply asked ‘can you read me the code on your authenticator’ or ‘press approve and you’ll complete the recovery process’ and would have been successful.

In investigating account breaches I’ve found most people shamefully don’t retell the whole story they’re embarrassed and upset and fearing loss of employment. They kind of shut down. In this case, social status or opinion could bet harmed so it would be hard to trust the story is complete. Generally my logs come from entra ID and you can see the authentication came from the mobile device even though it was a prompt generated by the phisher.

Anyway I’m a big advocate for layers of security and you’re completely right in your stance. Technology is fragile to exactly what you said. We live in a world of incomplete information using trust and judgement under time pressure and poor sleep. Phishing attacks are ruthlessly designed to target that weakness in people. I’m empathetic when it is successful.

On many systems, the weakest link is that it needs to accommodate a ‘lost my x’ eg mfa, password etc.

Systems often have a way to get in by resetting them by validating through more factors but often weaker ones, “not phishing resistant” factors like security questions. That way the account can get it removed or a new one put on.

Mfa isn’t a silver bullet, it is another layer of Swiss cheese, most people will think twice about giving it away on a chat app. But there’s a reason IT departments sign you up for those phishing simulation and training videos.

But you could still be right in this case, I just wanted to note broadly speaking you can’t assume prefect security is achieved with mfa. You still need to be constantly vigilant.

But if I request it there, after its federated everywhere, what happens?

Dude, someone corrected your misinformation and you call them a bully?