Why would they need to date anyway? That’s just questioning God’s Plan for them.

You have to open with “Chugga Chugga Choo Choo, we’re all gonna run a train on you!” Or it’s just a plain ole gangbang.

We were very *very *close to replacing our ~700 office Cisco SD-Wan environment with VeloCloud, which is owned by VMware. The Broadcom merger put the brakes on the project completely, they missed out on a few million dollars on that effort alone. The Velo guys were totally in the dark on what was coming down the pipe for them, Broadcom forced them to change hardware vendors on day one, for example.

Full tunnel would not mitigate this attack because smaller routes are preferred over larger ones. So, sure, 0.0.0.0/0 is routed over the tunnel, but a route for 8.8.8.8/32 pointing to somewhere layer2 adjacent, pushed via DHCP option 121, would supercede that due to being more specific.

The Killswitch only checks that VPN is up, not whether traffic is correctly routed over it.

You aren’t wrong, per se, I think you just don’t fully grasp the attack vector. This is related to DHCP option 121, which allows routes to be fed to the client when issuing the ip address required for VPN connectivity. Using this option, they can send you a preferred default route as part of the DHCP response that causes the client to route traffic out of the tunnel without them knowing.

E. It would likely only be select traffic routing out of the tunnel. I could, for example, send you routes so that all traffic destined for Chase Bank ip addresses comes back to me instead of traversing the tunnel. Much harder to detect.

Also used to track ransom notes, etc.

After spending a few minutes mulling it over, I’ve realized the only right move is for me to sell the cube to someone more clever than myself.

Can I only teleport back to where I teleported in from, or can I teleport out of the cube to anywhere I want?

Why didn’t you stick with 3% peroxide to clean it, out of curiosity? Just none available, or am I the only crazy person who does this from time to time?

It probably has to do with being native ipv6 and needing to ride a 6to4 nat to reach the broader internet.

Start at 1400 and walk the MTU down by ~50 until you find stability, then id creep it back up by 10 to find the ‘perfect’ size, but that part isn’t really needed if you’re impatient. :)

E. I found 1290 was needed for reliable VPN over an ATT nighthawk hotspot.

The comparison is a little flat when you consider autopilot has minimum viable weather and road condition requirements to activate, no snow or hail, etc, while human drivers must endure and perform optimally in all road and weather conditions.

deleted by creator

Don’t worry, the house of cards will finally crumble when they are caught using customer deposits to pay this $4.3BB fine.

Your VPN doesn’t have the ability to strip user agent strings on HTTPS requests, this doesn’t seem VPN related imo.

That last line man. Wow.

Poor girl was in serious distress.

Mint shutdown?

deleted by creator

That makes sense! Believe it or not it's actually easier for an ISP to block a whole country than select websites and services. We actually null route all Russian public IP space where I work, that would absolutely be plausible on a national scale as well.

It's imperfect, you can get around it, but it catches 99% of normal users, which is the goal.

You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.

However, It's worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don't need to see the SNI flag to know you're accessing something at Google.

First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.

Second, if you target an IP that isn't blocked outright, and I can't see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.

VPN gets around all of these problems, provided you egress somewhere less restrictive.

Hope that helps clarify.