It blows my mind that this was cutting edge, jaw dropping graphics back in the day. A shape-shifting trapezoid with some panicked faces peeking out.
E. Nah now I’m thinking it’s a one dimensional parallelegram.
It blows my mind that this was cutting edge, jaw dropping graphics back in the day. A shape-shifting trapezoid with some panicked faces peeking out.
E. Nah now I’m thinking it’s a one dimensional parallelegram.
Full tunnel would not mitigate this attack because smaller routes are preferred over larger ones. So, sure, 0.0.0.0/0 is routed over the tunnel, but a route for 8.8.8.8/32 pointing to somewhere layer2 adjacent, pushed via DHCP option 121, would supercede that due to being more specific.
The Killswitch only checks that VPN is up, not whether traffic is correctly routed over it.
You aren’t wrong, per se, I think you just don’t fully grasp the attack vector. This is related to DHCP option 121, which allows routes to be fed to the client when issuing the ip address required for VPN connectivity. Using this option, they can send you a preferred default route as part of the DHCP response that causes the client to route traffic out of the tunnel without them knowing.
E. It would likely only be select traffic routing out of the tunnel. I could, for example, send you routes so that all traffic destined for Chase Bank ip addresses comes back to me instead of traversing the tunnel. Much harder to detect.
Engineering is engineering. You design it, you build it, you test it. Engineering. We shouldn’t gatekeep words.
With that said, I recognize that certain engineering disciplines have overlap with public safety, and should come with some qualifications to back it up.
After spending a few minutes mulling it over, I’ve realized the only right move is for me to sell the cube to someone more clever than myself.
Can I only teleport back to where I teleported in from, or can I teleport out of the cube to anywhere I want?
Why didn’t you stick with 3% peroxide to clean it, out of curiosity? Just none available, or am I the only crazy person who does this from time to time?
Fwiw, most modern thermostats have an emergency failsafe temp setting that will always turn the heater on when reached, even if inadvertently set lower by mistake. Saved my bacon in a rental once.
I hope I don’t get flayed for saying this, but I actually had this problem on Windows once, and it turned out to be thermal throttling of the CPU. I was going from 4+ghz to around 200mhz and then it would shoot back to normal. Just needed a thorough cleaning of the fans and ducting.
Thought it was worth mentioning on the off chance it might help someone.
That makes sense! Believe it or not it’s actually easier for an ISP to block a whole country than select websites and services. We actually null route all Russian public IP space where I work, that would absolutely be plausible on a national scale as well.
It’s imperfect, you can get around it, but it catches 99% of normal users, which is the goal.
You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.
However, It’s worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don’t need to see the SNI flag to know you’re accessing something at Google.
First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.
Second, if you target an IP that isn’t blocked outright, and I can’t see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.
VPN gets around all of these problems, provided you egress somewhere less restrictive.
Hope that helps clarify.
Yeah, even if they miss your DNS request, the ISP can still do a reverse lookup on the destination IP you’re attempting to connect to and just drop the traffic silently. That is pretty rare though, at least in US, mainly because It costs money to enforce restrictions like that at scale, which means blocking things isn’t profitable. However, slurping up your DNS requests can allow them to feed you false error pages, littered with profitable ads, all under the guies of enforcing copyright protections.
Most ISP blocking is pretty superficial, usually just at the DNS level, you should be fine in the vast majority of cases. While parsing for the SNI flag on the client hello is technically possible, it’s computationally expensive at scale, and generally avoided outside of enterprise networks.
With that siad, When in doubt, VPN out. ;)
Don’t worry, we’ll invent a type of plastic immune to this bacteria and start the whole process anew!
As an aside, ‘plastic eating bacteria’ have been ‘discovered’ countless times over the past several decades.
The overwhelming majority of big companies include a morality clause in their sponsorship contracts that allows them to terminate deals with endorsers based on public sentiment.
This post reminds me of a friend of mine who likes a song so much, he will only listen to it twice a year, once on New Year’s and once on his birthday. He says each time is like the first time because “the pathways stay fresh”. He’s been consistent for at least 7 years.
If you’re curious: Toccata - OVERWERK