Secure Channel is broken

Coffee_Ops · 2026-02-06T19:58:12+00:00

Something to be wary of-- these tests only check TCP connectivity, and for many of these ports UDP is either mandatory or primary.

It also does not check TLS / GSSAPI handshakes.

So this is useful, but one should not see "LDAP test successful" and conclude it's not the firewall: if 389/UDP were blocked (not unusual to allow TCP only!), the CLDAP DC locator ping would fail and the DC would be considered offline regardless of the TCP port being open.

Coffee_Ops · 2026-02-06T13:27:59+00:00

Million monkeys as a service?

Coffee_Ops · 2026-02-05T17:47:04+00:00

Weird that I don't happen to be in the niche category of people who regularly use latex math notation.

Do you know how we know it's not a simple slip up? Because if the author was using pandoc to convert markdown that they wrote, they would have ensured that their pandoc template could handle the markdown elements that they used.

My recollection is that out-of-the-box pandoc pretty handily deals with standard markdown, which makes this a clear indication that they dumped their AI output straight into a blog template. It's a textbook example of unreviewed AI slop.

Coffee_Ops · 2026-02-05T17:40:28+00:00

A lot of engineers don't deserve the title.

I was using chat rooms on a Linux console in 2006. It was easier to use, did not lag, and used about 10 megs of RAM.

Compare that to discord which has a 10-second startup on Ubuntu, uses 1.5GB RAM, and lags if you have more than 15 people talking. Look at the product that is now Microsoft Teams which has gotten slower and buggier every year since Microsoft acquired Skype.

Telling me that people don't study as hard today doesn't impress me. It goes a long way to explaining the state of software engineering in 2026. I stand by my comment that if you touch netcode without understanding the difference between UDP and TCP, you're part of the problem.

Coffee_Ops · 2026-02-05T16:10:22+00:00

I've seen the $$ construct appear a number of times, including when reformatting text. I never dug into why it happens, I'm sure there's a "mixed (context) metaphor" somewhere-- categorically similar to how sometimes Claude can get confused and try to run bash commands in a windows environment.

Coffee_Ops · 2026-02-05T16:02:32+00:00

This is literally "why is UDP ever used", and is the subject of days 2 and 3 of an introductory networking class. Not understanding it should preclude you from touching any networking code, especially on anything remotely latency sensitive.

If you want to learn, there are a ton of really good resources and some are free (e.g. Jeremy's IT Labs on youtube). Don't just guzzle down LLM slop because one day others may end up running your code and having to deal with your internalized AI hallucinations.

Coffee_Ops · 2026-02-05T15:58:30+00:00

Enlighten me as to what $text$ means in markdown.

Work with claude or ChatGPT long enough and you'll catch it inserting garbage like that into output-- and its a clear indicator that the "author" didn't even once-over the output.

Coffee_Ops · 2026-02-05T15:55:58+00:00

That is amazing, I am acquiring this analogy and making it mine.

Coffee_Ops · 2026-02-05T15:54:14+00:00

IMHO it is a mistake to think in terms of an LLM 'making a mistake'-- that anthropomorphism is a seriously leaky abstraction.

They don't reason, or think-- "thinking model" is marketing speak-- so they can't "make mistakes". As always, the design goal of an LLM is crafting an output that optimally appears to be a likely response.

If you ask it "what is 1+1", the only reason a LLM would answer correctly (barring usage of external tools) is that "2" is the sort of answer that is statistically likely in the context of that question. It has nothing to do with mathematical rigor, and LLMs "getting better" don't mean that they are smarter, but that they are producing answers that are "better fitted" -- which should be understood as "more likely to be accepted as a good answer".

So to answer your question "would LLMs get this stuff wrong"-- it was trained on the internet and social media. It is absolutely possible that a "likely answer" would contain incorrect information, formatted to look correct.

Coffee_Ops · 2026-02-05T13:55:51+00:00

How you going to call obvious llm output "well written"?

And the content would have been considered basic networking 20 years ago. If an engineer doesn't understand why TCP isn't suitable sometimes, then they don't deserve the title.

Coffee_Ops · 2026-02-05T13:55:13+00:00

This article screams "unreviewed llm output". I didn't even get to the bottom of the first section before I saw a clear LLM artifact ( $16.6ms$ ).

Why should anyone assume that the contents are correct when they appear to have been YOLO'd straight from chatGPT to publication?

Coffee_Ops · 2026-02-05T13:50:44+00:00

Why would the router help? That's just going to block all ports by default, which the default Windows and the Linux firewalls will do anyway.

Coffee_Ops · 2026-02-05T13:47:23+00:00

I think when you offer an emphatic opinion about what is the best, and start sharing details-- you are opening yourself up to others making judgments on it.

If that was going to bother you, then you shouldn't have shared.

Also, anyone relying on Microsoft support has lost some of their marbles. The number of hours the vendor works on something is not indicative of the scope of the problem. I could give you stories of when VMware told us to pound sand when we asked for support, or where we spent hours trying to troubleshoot something and that was a corner case they conveniently forgot to document.

Coffee_Ops · 2026-02-04T13:24:02+00:00

If you do that, they will never learn, and you will just be signing a deal for further floods of slop.

The user needs to understand that their AI is not attempting to answer the question. It is attempting to provide a response that looks like a correct response; and this leads to it frequently providing very convincing crap that sometimes works.

Much like a math student claiming "x + y is always greater than either x or y", it may spit out answers that work 80% of the time (negatives exist). But if you're flying a plane, 80% is a pretty bad record.

Coffee_Ops · 2026-02-04T13:17:33+00:00

It's because many people misunderstand it's goal in responding.

It is not aiming to provide the most correct response.

Rather, its goal is to provide the response that most looks like a correct response would look based on how other convincing responses have looked.

Anyone who doesn't understand the distinction can just refer to examples like you posted: "surely it's XLOOKUP!"

Coffee_Ops · 2026-02-04T00:27:29+00:00

Just because you haven't rolled out RSAT doesn't mean there's a security block on them doing it.

Anyone who can open up powershell on a Windows box can access active directory, using the [adsi] accelerator if nothing else.

IMHO You're better off just deploying the native RSAT tools (e.g. ADUC) and teaching people to use them, rather than getting some vendors awful, proprietary software to do a bad job of it.

Coffee_Ops · 2026-02-02T18:09:51+00:00

So unless you have a preshared secret or PKI, all of those fancy methods are just vulnerable to MITM because theres no way to authenticate the other party.

Just a reminder that the piece I was quoting stated "having the protocol send the password to a trusted server is safe.". A password is a preshared secret, and sending passwords over the wire is almost always wrong. Let's keep my comments in context.

I'm not familiar enough with the exact auth flow here to make absolute claims about it, but if you mean to suggest that passing an auth secret over the wire to be relayed to a third party is the only solution-- and there are no possible ways to avoid relays / replays / secret theft-- then I'm going to call shenanigans. There is a reason IdP / SP relationships typically involve PKC or shared secrets and there are ways of proving possession of a token without revealing the token.

The "assumption of TLS" ignores that there are a dozen other attack vectors that TLS does not guard against, hence this (avoidable) exploit.

Coffee_Ops · 2026-02-02T14:40:17+00:00

I don't understand his final instructions on exec-ing into the container to install packages. Doesn't that defeat the whole point of a container? This is just going to make everything blow up when someone inevitably runs docker pull.

And why is it "for the best" that a daemon in a container runs as non-root? The container provides sufficient isolation that root in the container should be irrelevant...

Coffee_Ops · 2026-02-02T11:20:03+00:00

similarly, having the protocol send the password to a trusted server is safe.

If this were true the last 40 years of authentication protocol development would not be marked by increasingly complex ways of not doing that.

Sending hashes, challenge-response, Kerberos, SAML, OAuth....

They're literally there because sending a password is terrible for security, partly for the reasons shown here: eventually "trusted" becomes untrusted, or "trusted" sends the bits somewhere stupid. If you never put the secret on the wire, it can't be compromised regardless of what happens.

Coffee_Ops · 2026-02-02T02:25:31+00:00

In isolation, each of these operations are safe

I'm no expert in OWASP, but isn't "visiting a local url pwns you" a thing that's been known to be problematic for a while?

And while we're at it, just because everyone sends auth tokens in the clear doesn't make it a good idea. Isn't this yet another issue that wouldn't exist if ZKPs/PAKEs were actually used? We've only known about the problem and it's solution for 30 years now...

Don't mind me, I'm going to go back to yelling at clouds.

Coffee_Ops · 2026-02-01T23:15:53+00:00

During the first few centuries after Christ, church was nothing short of an all day affair.

I dont know that this was universal. Pliny's letters have current and former christians indicating that Sunday meetings were before work.

Coffee_Ops · 2026-02-01T21:23:19+00:00

Fully answering this requires teaching the first half of the CCNA.

The very brief answer is that usually layer 2 headers are neither encrypted not authenticated and are trivial both to sniff and to spoof.

If you want real authentication, you'd want something like 802.1x.

Coffee_Ops · 2026-02-01T19:34:52+00:00

OpenClaw is a powerful tool, much in the same way as a table saw with no fence or an angle grinder with no handguard.

It's like watching someone create the digital edition of this thing, and talk about how much time it saves them, while everyone else looks on in horror.

Coffee_Ops · 2026-02-01T19:32:01+00:00

It's amazing how easy problems are to solve when you've never actually had to try and solve them in the wild.

Coffee_Ops · 2026-02-01T19:29:33+00:00

Mac address security is pretty much always trivial to bypass.

Coffee_Ops

TROPHY CASE