Hacker News new | ask | show | jobs
by 1vuio0pswjnm7 135 days ago
I remember the term "clown computing" to describe "cloud computing" from IRC earlier than 2016

I use a localhost TLS forward proxy for all TCP and HTTP over the LAN

There is no access to remote DNS, only local DNS. I use stored DNS data periodically gathered in bulk from various sources. As such, HTTP and other traffic over TCP that use hostnames cannot reach hosts on the internet unless I allow it in local DNS or the proxy config

For me, "WebPKI" has proven useful for blocking attempts to phone home. Attempts to phone home that try to use TLS will fail

I also like adding CSP response header that effectively blocks certain Javascript

It sounds like the blog author gave the NAS direct access to the internet

Every user is different, not everyone has the same preferences
4 comments
1vuio0pswjnm7 133 days ago
Another habit I follow is to set the gateway of (a) computers I cannot trust, i.e., ones running corporate OS I cannot control, to (b) a computer that I believe I can control running UNIX-like OS that I compiled from source

I run tcpdump on (b)

(b) is the only computer with direct access to the internet

The only time I have seen a sentry.io DNS request is from (a)

link
simoncion 135 days ago
> It sounds like the blog author gave the NAS direct access to the internet

FTFA:

  Every time you load up the NAS [in your browser], you get some clown GCP host knocking on your door, presenting a SNI hostname of that thing you buried deep inside your infrastructure. Hope you didn't name it anything sensitive, like "mycorp-and-othercorp-planned-merger-storage", or something.
  
  Around this time, you realize that the web interface for this thing has some stuff that phones home, and part of what it does is to send stack traces back to sentry.io. Yep, your browser is calling back to them, and it's telling them the hostname you use for your internal storage box. Then for some reason, they're making a TLS connection back to it, but they don't ever request anything. Curious, right?
  
  This is when you fire up Little Snitch, block the whole domain for any app on the machine, and go on with life.
I disagree with your conclusion. The post speaks specifically about interactions with the NAS through a browser being the source of the problem and the use of an OSX application firewall program called Little Snitch to resolve the problem. [0] The author's ~fifteen years of posts demonstrate that she is a significantly accomplished and knowledgeable system administrator who has configured and debugged much trickier things than what's described in the article.

It's not impossible that the source of the problem has been misidentified... but it's extremely unlikely. Having said that, one thing I do find likely is that the NAS in question is isolated from the Internet; that's just a smart thing that a savvy sysadmin would do.

[0] I find it... unlikely that the NAS in question is running OSX, so Little Snitch is almost certainly running on a client PC, rather than the NAS.

link
1vuio0pswjnm7 134 days ago
Or the author gave a browser direct access to the internet

For example, I have seen a freshly installed Firefox Nightly try to connect to sentry.io on startup

For me, these attempts never succeed

link
1vuio0pswjnm7 134 days ago
"snowgoose"
link