I know it exists, have gotten it working with one of those AD compatible samba based DCs before, but not without some messing about. I’d really like to see it as simple as it is in Windows before saying it’s a drop in replacement.

Tried the other day with Mint and ran into something where one of the searches promoted manually editing the hosts file to point to the DC and Kerberos address. That kind of thing shouldn’t be required and is the kind of buggery I’d like to see sorted out.

I have not, the last time I made a real effort at moving to Nix for games was quite a while ago. The big factor is if I can get GOG working since that’s the preferred platform here.

Probably worth a shot. I’ve gotten it working on a version of Ubuntu in the past, but it was far from the simplicity of select domain, give join creds, and reboot that it is with Windows yet.

3 things I’m still looking to get in one distro and Windows will be gone. Not looking to have my desk/lap turn into another ad platform like phones did.

Easy drive mapping for remote shares, most have this but some are a bit clunky.

Solid games support, mostly a WINE thing. One called Bazzite looks promising with a pile of pre-configured profiles.

Easy and reliable connection to a DC so the same creds can be used across multiple machines. This is probably the hardest part in Nix at this point.

Otherwise pretty well every app I use is web based and hosted on some local server, or has a Nix native variant.

I’ve been a user of GOG for a while principally because of the no-drm ability to download a copy of what you bought. When the library starts getting past a certain size though you start to wonder about those things like what if the producer has a falling out and wants to yank it from the platform, does it vanish from my library then too? Are there contracts that say ‘forever’ when they offer it? Would love to find some ‘download all’ option to take a full copy offline of the bought items at once but it’d probably overrun the monthly ISP limits even if they had one.

Seen too many things on Netflix or Spotify that I liked vanish because ‘fuck off, we can’ and although I never anticipated it being ‘bought’ in those cases it does give a lot of justification to find alternate means to reestablish that access.

Nuking anything is never the right decision unless you’re heating up some leftovers. There is no such thing as a justified mass destruction weapon.

Fair point, useful for the city but not missing out on anything by having a private well then though.

Most mobile devices these days default to using a random spoofed MAC, so I have a hard time seeing how that’s effective unless it’s done as a whitelist only.

WiFi pineapples are fun that way. I’ve taken one out on a drive going to our cabin in scanning mode and picked up 100+ different SSIDs along the way. It can also respond as a wildcard to any request that comes by or just be obnoxious and advertise them all at one.

Never setting an ‘auto connect’ for unsecured WiFi is a must in that case. Secured not so much an issue unless the interceptor has the key for the network at least.

As useful as tile is ideal to me. Don’t allow for the global tracking but let’s me make my keys or wallet make a noise when I misplaced them.

It’s pretty much the same thing that ‘tile’ does, it’s scary that they do this as an opt-out though. Having that as a system level function effectively means they can enable or disable it at will without having to have a separate app.

One more bug to sort out with notifications and I’m full time onto GraphineOS.

It says right in there that they can’t see what you are sending or receiving, but seeing the SNI provides content on what you’re doing. Not seeing where it’s false at all.

Using that SNI header profile though if one was inclined and the site doesn’t enforce HSTS it would be simple enough to proxy traffic through their gateway, or to creating a phishing duplication of the site with a DNS redirect.

Discover/offer/request/acknowledge since it didn’t make a pretty picture for me.

Basically it’s just a case of who answers first. A DHCP discover is a broadcast message since the client doesn’t know where or even if there is a server on the net. Whoever gets back to the client first with an offer though will end up with the request/ack following up and get to provide whatever options they push along with the offer.

Claim: if you use HTTPS you are safe!

Overall a solid writeup, but this part could use some clarification. Assuming the VPN client doesn’t leak DNS this is only a concern after exploitation by DHCP option.

Another thing that might be noted, since this is a DHCP based issue the window for compromise is largely going to be at the time of connection unless the server has a particularly short lease time. If there are multiple DHCP servers on the same network answering requests it’s bound to raise some alarms if someone is watching the network so it makes 3rd person exploitation a very noisy method since you would have a race for who offered the lease first.

Edit: Really this attack isn’t just a problem for VPNs but could apply to any network connectivity. A rouge DHCP sever can cause all sorts of havoc. There used to be an single button APK called ‘firesheep’ that would do similar to this by presenting itself as the gateway, although that wouldn’t have allowed for the specific split routing config option push.

Chances are unless you’re actively trying to avoid it the toothpaste you use has it already. I’m not aware of any particular benefits or detriments to having it in the water supply versus the more direct application route.

Edwards described critics of his underage marriage stance as “an army of control freaks that want to entice a pregnant woman into an abortion rather than allow a marriage”

The guy goes on about personal freedom but then puts it as an either/or that someone gets pregnant and they have one of two choices…

https://github.com/smdgames/reactle

Easy enough to change that

Such a charming and rational fellow that one

Short version of this attack, it involves split routing for the tunnels. A lot of clients will have a default route-all to send traffic through the VPN. There is however a limitation to this because the tunnel itself needs a route from the local nic to connect to the VPN endpoint and establish the tunnel, otherwise you end up with a chicken and egg where you can’t establish the VPN. By taking advantage of the DHCP option to set preferred routes (really anything more specific than 0.0.0.0/0) it can tell the host system to send the specified traffic through the local gateway rather than the tunnel’s virtual adapter.

One relatively simple fix if you happen to have a fancy router/firewall on the edge of the network that handles the VPN would be to use policy based routing rather than relying on the underlying network configuration. Static route tables would be possible too, but in theory that could be overridden by just sending a more specific route again than what was set statically.

Shortly after the net neutrality rules where first revoked mine sent a message asking me to opt out of gathering data for sale, so defiantly not always the case. Not trusting some checkbox to prevent them from doing so in the future got everything that can be put through tunnels since.