I deploy so many of these things. I don’t even know what to say.
Fortinet as a security company is like asking a sieve to hold water.
The amount of cvss 10 scores show they’ve got the high score.
If they protect their own network with Fortigate devices no matter the utp atp whatever, they’ve probably been breached for a while.
Hard not to be cynical.
Yeah as a sysadmin I’d also like to ensure casual readers note that windows 11 22h2 is EOL in Ends in 4 weeks (08 Oct 2024).
https://endoflife.date/windows
Please don’t run windows without security patches. Every month there’s about 4 active exploited zero day security vulnerabilities finally getting their patch. https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2024-patch-tuesday-fixes-4-zero-days-79-flaws/
Each month past end of security patch releases just grows your exposure. On Windows and Linux alike.
Coming in Windows 11 24h2 is live patch, Microsoft’s catch up to Linux (a decade late).
I spent like 20 minutes self hosting and running over tailscale so traffic is always private… Never had an issue. I’ve got over 20 devices accessible on it.
Easy to remote register over ssh just by sending the installer plus running with server name plus key, then setting a static password.
I still think gaming wide moonlight is great though. You won’t really regret that.
The hand-etched apology will not appear on the company’s actual devices come global launch
Luckily the article addresses this.
Other then legacy and uefi does it have a CSM compatibility support mode? An option to enable usb initialisation before bios? Eg wait for usb initialisation?
Some “boot faster” options kind of reorder boot initialisation to a point where it’s not holding the system back.
Though I’m really running out of suggestions… I can imagine you’re pretty frustrated. I know my Dell laptop was a pain to get the right settings to get usb to boot and the stupid 100db beep to silent on boot interruption.
And you probably confirmed that live boot worked too I assume.
In the actual bios, can you see a boot order and see uefi for Windows/whatever is on your internal disk? But not any other entries?
I suggest a few more things:
Try a different brand usb. Different motherboards sometimes don’t support some usb brands. In fact, a Lenovo server I rebuilt refused to boot off certain usbs.
Some motherboards don’t initialise boot off some usb ports. Sometimes the additional ports are on another controller and initialise too slow.
Just try a straight working Ubuntu live boot usb to remove any ventoy from equation. Ubuntu has real signed uefi (and no shim) granted by Microsoft. I think that’s how it works, uefi is a mess.
Try to start isolating all the different factors, and there could be more. It doesn’t necessarily mean anything definitive if it works on another machine.
After installing mint, and you find a problem, just live boot mint again.
You can do a lot in live boot including mount your permanent copy even the kernel. Whatever is missing you can download put onto the installed hdd or usb storage, and then install.
Ask me how I know. Lol.
Australian native bees can’t sting, do a great job of pollinating, and make a little honey on the side. They’re very curious from experience with a swarm making a home on my water meter box, but not very scary.
IP and Routing is layer 3, broadcast is layer 2 with Mac addresses being shared within a broadcast domain (often a vlan/lan) and the only requirement for layer 2 is a switch you don’t need routers. Devices on a lan talk only via switches which switch based on Mac address tables. You don’t learn Mac addresses of devices past your broadcast domain, that’s what a router handles.
So in network practice (nothing Linux related) if you are on a broadcast network that’s a /24 subnet, what should happen is all devices within that subnet talk to each other without using a router, instead they learn a mac address and the associated ip from a broadcast from the device which owns it.
If you tell your device that it’s only on a /32 then it should discard every arp it hears as invalid. Which means it won’t learn any neighbouring lan devices.
While your network on your single device with the /32 probably works ok to get to other networks (routed networks like internet or other vlans), because other networks ask the router, and the router probably learned your mac and ip on whatever vlan/interface your device is connected via.
But unless you’re trying to do something unconventional, devices on a lan should match the routers expected subnet. This way devices can trust their assumption that within their subnet they communicate to other local devices by learning other network devices network address via arp, and communicate directly in unicast via learned ips from that arp. If it’s outside the subnet they then look to the gateway. They trust the gateway. The gateway should route to the right interface or next hop.
If you really wanted to make this work though, usually routers can proxy arp. So in this case, you tell the router to ‘oroxy’ and broadcast your arp to other devices. Those devices on your lan looking for your ip will find the routers Mac address, then using destination network address translation you can redirect the incoming connection from a lan device to your device via your router. Then your /32 ip can probably work. Usually this is done when someone has put a static ip on a device with a wrong subnet ip on a vlan with another subnet. So the device which arps is ignored by the router and the other network devices. If you use the router to proxy arp you can basically give the local lan devices an ip to hit that they expect, which then you can translate to the misconfigured device. This generally is considered a bandaid solution temporary until a vendor or technician can fix their misconfiguration. I do not recommend.
I mean, the rdp is from Linux to Windows for desktop application access, so it’s the right tool for that job.
My long battery life performant phone running Android with kernel 4.14.116 would like an update but it was abandoned years ago. Which is a shame.
8gb ram 256gb storage and a locked Bootloader. Sad times
Yes, they’ve been saying it for a year, at this point they’re repeating themselves: https://www.malwarebytes.com/blog/news/2022/11/nsa-guidance-on-how-to-avoid-software-memory-safety-issues/amp
Hmm you could be right. Keeping old protocols running for legacy compatibility reasons could in this case keep the solution working for some time.
The mini version doesn’t need hosting, it doesn’t have a proxy middle man. A 16yo kid reverse engineered the protocol and then got contracted by beeper to implement it as beeper mini. It’s a client directly connecting to apple like imessage native.
Will it break? I’d argue if the cost of breaking it in engineer time is worth doing to Apple, yes. All they’d have to do is roll their own crypto and reverse engineering that might be impossible. Probably easier ways to break it but then maybe it turns into a cat and mouse game.
Legally it’s hard to say if it’s OK too, the end user is likely fine, but the developer especially being contacted may not be since to reverse engineer it could be breaking terms of service or licensing clauses though I’m not really sure what kind of damages could be claimed. To reverse engineer they had to use the original on jailbroken iphones to go through the engineering discovery.
Anyway the point is, it’s not going through beeper or anywhere other than Apple. So there’s no component to host. It’s different to beeper.
Bleeping computer was blocking my vpn but that also sounds common. Not only is there heaps of controls through conditional access policies where you can use device compliance policies and mass download defender for office 365 rules to detect these things, Microsoft also allow a bunch of ways to circumvent that through publishing enterprise apps and leave it to you not to lose your keys. I use one such app a lot called pnp powershell so my powershell can access basically everything and do anything so I can script largely migrations and audits of those migrations into sharepoint. While I do remove that app at the end of my projects, most people just move on.
Of course pure speculation. It’s just not even hard to either footgun yourself, and fortinet have been known to be shooting themselves in the foot, even assuming they tried to put controls in, in the first place.
I’ll read the actual article when I get home to see how impacted I will be though. As a customer, seller and with certifications. Not to mention, maybe there’s something for me to learn about the whole thing anyway.