I just bought one of these used for $20 on Offer UP :flexed_biceps: with shipping

I already have an ASUS router so I know I can use this an extender.

https://www.asus.com/us/Networking/RTAC66R/

I want to extend my WIFI range a bit for my security cameras, however I dont have any wiring run in my house nor do I really want to run any.

Have you guys ever used a plugin range extender to extend wifi signal? I am dont really care too much about performance. All I want is reliable connection that can make small uploads to the cloud. Recording is only done when motion is detected, so I am not sending a ton of data.

@wrx7m brought this to my attention. Previously just the CCP was available with online proctoring, but now they have opened it up to all tests.

https://digitalcloud.training/2020/03/23/take-any-aws-certification-exam-from-home/

@flaxking said in Best way for teenager to learn to develop a game:

Does he like action aventure RPGs? https://www.solarus-games.org

That's pretty cool

When most people thing cloud they think of the term Rehost. Which means you move existing resources to the cloud and don't change your design at all. In this case, you are basically doing a Colo and you are not really going cloud.

Replatforming is the most common and least interrupting way to move to the cloud. Let's say you have a typical application with Web, app, database servers, instead of migrating your entire app to the cloud, you use PaaS for your database and leverage cloudfront for static resources on your web app. You still keep your web and app servers on prem.

ReArchtecting is the best way to do things, but also the most time consuming and costly in short term. As @scottalanmiller mentioned windows is terrible for cloud servers. My company re architected app to work on Linux and leveraged cloud SaaS and PaaS into the application. The result in the long run is a less expensive, less maintenance, and elasticity.

@scottalanmiller said in Path from on-prem Windows servers to hosted/cloud (Azure)?:

Each stage is one step more managed and inclusive. Basically...

SaaS > PaaS > IaaS

Yes, but you cannot move everything to SaaS though. You will need to switch to PaaS in some cases like DBs or to help with your developer by using a PaaS tool like elastic beanstalk. That way if you have developers they don't worry much about infrastructure and are able to focus on dev.

@Pete-S said in Path from on-prem Windows servers to hosted/cloud (Azure)?:

I feel there is more value moving from on-prem servers to SaaS than to IaaS. It's simply higher up the value chain.

Typical companies have infrastructure because they have to, not because it's their mission in life. It's the digital tools and advantages they are after.

So unless you are a provider yourself, why even bother with infrastructure if you don't have to? Let someone else have that problem.

I cam here to say this exact same thing. You don't need to go full cloud and like @Pete-S said, I see PaaS as the low hanging fruit.

Migrating SQL to Azure or AWS as a PaaS makes sense because you don't have the maintain the SQL servers, and you can have quick instant backups to S3 or Blob storage.

It's very easy to scale SQL up and down on the cloud to find the right size.

@scottalanmiller said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

Does the software establish a connection outside the managed network or do you have to vpn to the network to reach the management server?

It all runs on HTTPS connections.

I asked if I need to be on the highway to get to my destination, or if I can take surface streets and you told me to use snow tires. WTF?

I mean it's up to you how you want to design it. I would say putting it behind a VPN is the smart way to do it. Like mentioned earlier, it isn't necessary. However, it greatly reduces your attack surface.

What attack surface? The only thing you access is the web interface.

That's still a surface. Why even let attackers get to a management server to attempt a brute force or DoD?

And that is different from letting an attacker attempt to brute force or DoS a VPN?

You always have an open port to come in.

That is true, but it doesn't reveal what's behind it. Something like mesh central would be something an attacker would be interested in, but if it's behind your VPN sever they have no clue its even there.

Except VPNs are far better known and more "interesting". Nothing says "I've got something to hide that I think is valuable" like a VPN. VPNs are big advertisers that someone believes they have something worth something.

So what? Now you have to break into the VPN and mesh central. It makes it harder for an attacker.

Breaking into the VPN doesn't net you much if your traffic is encrypted internally, in fact you are in the same spot as having all your valuable assets public facing.

VPN is easy to implement with minimal hardware in an immutable fashion and gives you an extra layer of defense that is quite difficult to breach.

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

Does the software establish a connection outside the managed network or do you have to vpn to the network to reach the management server?

It all runs on HTTPS connections.

I asked if I need to be on the highway to get to my destination, or if I can take surface streets and you told me to use snow tires. WTF?

I mean it's up to you how you want to design it. I would say putting it behind a VPN is the smart way to do it. Like mentioned earlier, it isn't necessary. However, it greatly reduces your attack surface.

What attack surface? The only thing you access is the web interface.

That's still a surface. Why even let attackers get to a management server to attempt a brute force or DoD?

And that is different from letting an attacker attempt to brute force or DoS a VPN?

You always have an open port to come in.

That is true, but it doesn't reveal what's behind it. Something like mesh central would be something an attacker would be interested in, but if it's behind your VPN sever they have no clue its even there.

@JaredBusch said in MeshCentral - Anyone tried this?:

@IRJ said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

Does the software establish a connection outside the managed network or do you have to vpn to the network to reach the management server?

It all runs on HTTPS connections.

I asked if I need to be on the highway to get to my destination, or if I can take surface streets and you told me to use snow tires. WTF?

I mean it's up to you how you want to design it. I would say putting it behind a VPN is the smart way to do it. Like mentioned earlier, it isn't necessary. However, it greatly reduces your attack surface.

What attack surface? The only thing you access is the web interface.

That's still a surface. Why even let attackers get to a management server to attempt a brute force or DoD?

@Grey said in MeshCentral - Anyone tried this?:

@JaredBusch said in MeshCentral - Anyone tried this?:

@Grey said in MeshCentral - Anyone tried this?:

Does the software establish a connection outside the managed network or do you have to vpn to the network to reach the management server?

It all runs on HTTPS connections.

I asked if I need to be on the highway to get to my destination, or if I can take surface streets and you told me to use snow tires. WTF?

I mean it's up to you how you want to design it. I would say putting it behind a VPN is the smart way to do it. Like mentioned earlier, it isn't necessary. However, it greatly reduces your attack surface.

@NetworkNerd said in Infrastructure Engineer Openings in Dallas:

Strange - I never had an issue with either link.

I think it was because I was connected to VPN on AWS environment, and maybe it restricts AWS IPs. Some other sites do this.

@notverypunny said in Distro for school work?:

If they're gaming laptops you might have an easier time with Mint or Manjaro, they used to be easier than straight Ubuntu for getting proprietary drivers to work.

Mint is based off Ubuntu and Manjaro is based off Arch.

Its a good time for everyone to get cloud certified. AWS CCP can be taken online and it only costs $100. It's pretty entry level and any IT professional can pass it with a few hours study.

As a bonus, you get 50% off your next AWS test after passing. So you can take AWS Solutions Architect for another $75 ($150 - 50%)

Event: Kr00k Wi-Fi Encryption Vulnerability Affects Over a Billion Devices

Summary:

This Kr00k vulnerability, assigned to CVE-2019-15126, triggers vulnerable Wi-Fi devices to use an all-zero encryption key to encrypt part of the user's communication. In a successful exploit, this vulnerability allows an adversary to decrypt wireless network packets transmitted by a vulnerable device. Prior to patching, affected devices totaled well over a billion endpoints, including mobile devices, laptops, computers and Wi-Fi routers. Several manufacturers have released patches for Kr00k.

Analysis:

As data packets are transferred over Wi-Fi, these packets are encrypted using a unique key via a 4-way handshake. During the 4-way handshake, the client and wireless access points are generating and installing cryptographic keys. The relevant component to the Kr00k vulnerability is the 128-bit Temporal Key (TK), which is used to encrypt data frames transmitted during the specific client-AP session.

Disconnection in Wi-Fi networks is a common phenomenon that occurs on a constant basis due to a weak internet signal and frequency interference. While disconnecting, the session-specific TK value is cleared from memory and is subsequently set to an all zero value. However, and accidentally, all data frames that were left in the vulnerable network chip’s buffer are transmitted after being encrypted with this all-zero Temporal Key.

Malicious actors can exploit this weak encryption offload by manually triggering disassociations and intercepting the remaining packets on the network chip.

Revealed at the RSA 2020 Conference in February, Kr00k impacts devices with Broadcom and Cypress Wi-Fi chips using both WPA2-Personal and WPA2-Enterprise protocols, along with AES-CCMP encryption.

ESET, the discoverer of the security issue, privately and responsibly disclosed the exploit to the respective manufacturers and companies utilizing the vulnerable Wi-Fi chipsets in the Fall of 2019.

While the vulnerability affects the disassociation procedure of the implanted chip, it can be mitigated through software or firmware updates.

Several manufacturers and companies have released security advisories regarding Kr00k in the last four months, which are listed below:

· Aruba Networks

· Huawei

· Sonicwall

· Apple iOS & IPadOS

· Apple macOS (Catalina, Mojave, & High Sierra)

· Cisco

· Mist

ESET Lab-Tested Affected Devices & Access Points (Not Limited To):

Below is a list of devices confirmed by ESET Labs that revert the Temporal Key to the all-zero value for packet interception and encryption. While this is not a complete list, the list should give system administrators/managers an idea about the type of devices susceptible to the attack.

· Amazon Echo 2nd gen

· Amazon Kindle 8th gen

· Apple iPad Mini 2

· Apple iPhone 6, 6S, 8, XR

· Apple MacBook Air Retina 13-inch 2018

· Google Nexus 5, 6 , 6P

· Raspberry Pi 3

· Samsung Galaxy S4 GT-I9505

· Samsung Galaxy S8

· Xiaomi Redmi 3S

· Asus RT-N12

· Huawei B612S-25d

· Huawei EchoLife HG8245H

· Huawei E5577Cs-321

Recommended Actions:

Health-ISAC recommends immediate patches of affected devices utilizing Cypress and Broadcom chips by keeping software and firmware in their latest version.

Health-ISAC additionally recommends initiating updates on wireless access points that require manual activation. While this may result in a temporary loss of service, the prevention of packet interception will result in a significantly more secure environment for all users.

References:

CVE-2019-15126 National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2019-15126
ESET: KR00K - CVE-2019-15126 Serious Vulnerability Deep Inside Your Wi-Fi Encryption
https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf
RSA Conference: Kr00k: How KRACKing Amazon Echo Exposed a Billion+ Vulnerable WiFi Devices
https://www.rsaconference.com/usa/agenda/kr00k-how-kracking-amazon-echo-exposed-a-billion-vulnerable-wifi-devices
Bleeping Computer: Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
https://www.bleepingcomputer.com/news/security/kr00k-bug-in-broadcom-cypress-wifi-chips-leaks-sensitive-info/

Getting this on both links....

@DustinB3403 said in Virtual team ideas?:

Time sensitivity is important, people have a hard time showing up on time for a meeting physically. Making people wait with a headset on is just additional irritation that they won't take well.

I personally always show up early 1-5 minutes for a meeting. If I had to wait an additional 15 I'd be using collage rules and counting my attendance as there even if the host isn't.

I think putting a headset on is easier than going to room a people honestly.

Zoom and slack are very helpful tools for remote collaboration. Zoom free is good enough in most cases. I regularly work with remote people and am remote myself. Anytime we are trying to tackle something we setup a zoom call and do some screensharing. It actually works better than collaboration in person most of the time, tbh.

@Pete-S said in RDP to RDP to RDP?:

@IRJ said in RDP to RDP to RDP?:

@Pete-S said in RDP to RDP to RDP?:

Is there a smarter way to connect through several RDP sessions instead of doing each one manually?

So if you want to go:
host1 -> host2 -> host3

Is there a way to do this in one step instead of first connecting to host1 then from there start a connection to host2 and then from there start a connection to host3?

Why can't you just connect to host 3?

I am assuming host 1 is a public IP and host2 and host3 are internal?

Yes, host 1 is reached over VPN and the rest are different internal networks and subnets with firewall restrictions. Enterprise customers. So the only way is to connect to the servers in this particular order.

So you could create a bastion host behind VPN on it's own subnet. Then allow incoming RDP traffic from this bastion host.

@scottalanmiller said in RDP to RDP to RDP?:

@IRJ said in RDP to RDP to RDP?:

Why can't you just connect to host 3?

If only he'd have thought to put in the right IP address the first time, LOLOL.

I mean generally host 1 (bastion in this case) would be configured to connect to either host 2 or host 3.