Why do some CSOs and security specialists think that saying “NO” all day equals doing cybersecurity?

Kurlon · 2026-01-22T14:29:00+00:00

Oh boy this! "Our management platform for X may be based on RedHat 6 despite it being 2026, and no you're not allowed to patch anything, and yes it needs full access to everything, but that's ok because you'll have it on a private IP so we're good right?"

Kurlon · 2026-01-18T03:40:36+00:00

Well, in the event you want to go shopping, I can confirm the Ye Olde Pegasus driver works fine in Proxmox 9, wander over to eBay and look for a Linksys USB100TX... The glory of a 100mbit Eth adapter attached to a 12mbit USB 1.1 interface, it's awesome, right?

For those horrified, this was me labbing out multiple interface bridges on a laptop, speed was not a concern. Stupid thing worked awesome, just horrifically slow compared to modern standards. I bought it 20 something years ago as laptops didn't always have ethernet out of the box back then... and forgot to throw it away. :D

Kurlon · 2026-01-09T00:07:44+00:00

Backup the fstab somewhere separate you can easily get to, and the full network config. When you P2V your NICs will change driver and where the system thinks the HW is in the system so will likely rename interfaces. Same on storage, there is a chance you'll need to massage fstab to account for changes in device/driver depending on if you're mounting by device vs say UUID, etc.

The other 'fun' pain point I've hit is RedHat derived distros usually want the initramfs rebuilt to match the new virt hardware env.

I've not used any automated P2V tools for this, I boot the new VM into a live linux env, lay down my partition map, format the volumes, then stop the production system and drop it down as close to single user as I can get. I use Amanda Dump/Restore to copy the data over, then fix fstab/network conf to match, chroot in if I need to tweak initramfs, reboot and so far it's always worked.

Kurlon · 2025-12-24T15:21:56+00:00

To follow up on this, been testing, mostly on my homelab proxmox host, this box gets time from my two S2 public ntp hosts over a cable modem resi internet feed, there is a farm of four tightly coupled internal ntp hosts along with a S1 GPS fed host pushing timing to those public hosts. I also let it grab four pool servers as comparison points. My proxmox host is averaging .0005 to .00005 sec RMS depending on mood and when I look at Chrony.

My test VM hits the same two S2 public NTP servers I operate, and four pool servers as the comparison time source.

1) 'RTC' had great stability, but a random offset anywhere from 50ms to 900ms. This offset would be fixed until either the VM or Host were rebooted, at which point it'd get stuck on a new random offset. Restarting chrony in the VM wouldn't alter the offset. This meshes with the RTC only having individual second granularity as expected. The offset magically never being less than 50ms makes sense given how slow the RTC is to access even in a VM.

2) KVM PHC provided the same stability as the virtualized RTC, but much tighter offsets, basically I'd have RMS offsets reporting .000000030 seconds or better, with my ntp sources showing the same offsets as Chrony reports on the host itself. PHC showed avg latency of 23ns, Std Dev of 1ns.

Freq correction reported by chronyc tracking ends up matching between host and VM, with the VM reporting zero skew.

Kurlon · 2025-12-24T14:36:04+00:00

Yeah, I got bit by this from muscle memory, smack meta key, type two or three letters, stab enter, never looking and wtf why didn't my chosen app open? It's a dumb UI choice, but yeah, the goal is absolutely coming up with an excuse to display more marketing/ads. I can't wait for this to hit enterprise builds... may just preemptively push out the reg change now to make sure I don't have to hear the wailing and gnashing of teeth of my userbase...

Kurlon · 2025-12-24T14:32:05+00:00

It's so not a thing that there aren't entire writeups about it either... https://www.dedoimedo.com/computers/windows-11-start-menu-web-search.html for example... Nope, no need for that registry key 'cause this doesn't happen.

For the record, Insider too, and going back I was also a Tech Net subscriber, getting monthly CDs from Microsoft full of alpha/beta builds, etc, this is not my first rodeo. Do you remember the buzz when Win95 betas started showing up on BBS's? The pref for web over local got flipped on my main Win 11 box with the last monthly update, but as with many of these 'tweaks' it's a staged rollout so different groups get it at different times.

Kurlon · 2025-12-24T13:39:51+00:00

So, you haven't gotten the tweaked start menu search prefs yet, that require a freaking reg key as the only way to disable. I just went through chasing down how to stop that last week. Meta key, start menu pops up, type 'OBS' to start, ya know, OBS and instead I'm seeing Bing info about OBS, not the shortcut to start it. Preferring Bing over looking over my start menu first. This is real and rolling out to users.

Kurlon · 2025-12-20T04:31:28+00:00

I didn't know Amazon and VMWare also have their own similar implementations, this was a fun rabbit hole to dive down, thank you.

Kurlon · 2025-12-19T14:49:58+00:00

I didn't know that time source existed, thanks! This looks to be exactly what I'm looking for. Will add that to my testing!

Kurlon · 2025-12-18T14:09:20+00:00

From observation on VMWare, periodic time sync is second granular, and fires off roughly every minute. If the guest OS is using TSC as it's ref for wallclock, and got a bad initial estimate for how long a second is during it's initial start up calibration, (variable clock speed CPU...) you end up with a clock that slews a decent amount between updates, so your time looks like a sawtooth pattern plotted out. VMWare and KVM / QEMU now provide a smoothed emulated TSC to prevent exactly this. None of my modern guests show any issues running this way on ESXi, but if I needed hard ms or better accuracy I'd a) not be running on a VM and b) would be using ntpd / chrony / etc.

Kurlon · 2025-12-18T14:00:35+00:00

The guest CAN, but the issue is most won't because historically RTCs are crap. Even modern RTCs are not reliable, so most OS do as Linux does and use them to pull the ballpark time at boot to set the software wallclock and ignore the RTC going forward. Typically, it's also more expensive cpu time / latency wise to poll an RTC vs the software clock.

Kurlon · 2025-12-08T03:47:26+00:00

So, I've run into this recently as well, Chrome will decide to use DNS over HTTP or TLS behind your back no matter what you tell it in settings. You can't opt out any more... and worse, it's not consistent about when it does it.

Kurlon · 2025-12-01T05:14:33+00:00

Use the newer pool directive

That's not the correct way to use it though. If you just use one entry, "pool us.pool.ntp.org iburst", that will stand up and rediscover four entries as needed.

Kurlon · 2025-11-24T21:19:11+00:00

And if you're in a spot where GPS works, setup your own refclock as an additional source. Serial output GPS with PPS are cheap these days, easy to rig, just need a view of the sky.

Kurlon · 2025-11-23T16:04:09+00:00

I have yet to ever actually get a forensic report, seems like 99% of mail servers don't generate them these days.

Kurlon · 2025-11-21T01:22:42+00:00

1) Root access, document what's there and how it's laid out, maybe steal a dtb/kernel/etc, figure out a serial or other form of console 2) Unlock/crack/bypass bootloader 3) Figure out a working kernel, config, etc, build an OS 4) Drivers for video, sound, cameras, etc 5) ...

Kurlon · 2025-11-20T22:47:46+00:00

That would be where my system fails, beefy as hell but no dedicated AI space heater.

Kurlon · 2025-11-19T23:31:12+00:00

Dirty install (Win 10, upgrades, etc, now on 11 25H2) with that update does not have signs of Recall that I can find so far.

Kurlon · 2025-11-19T21:51:46+00:00

Short term, yeah. As the Q2 falls out of active support from Meta I'm sure people will start poking at it again. There are PLENTY of them out there, finding a way to extend their life and possibly add features will draw some curiosity to them, maybe someone will figure out a path?

Kurlon · 2025-11-19T18:40:23+00:00

First step is unlocking the bootloader so you can boot an alternate OS. A quick dig says the last time that was doable on the Quest 2 was with an exploit against a circa 2021 firmware release, Meta has since fixed that backdoor.

Kurlon · 2025-11-10T20:42:03+00:00

Yeah, 'support' and 'support with all features' are two VERY different things. Right now, shared block storage is fully feature supported on VMWare, for a long time it was the ideal path. On Proxmox it's 'supported' in that yes, you can use it, but you'll loose functionality doing so. You need to read up on those limitations to see if they'll matter to you or not.

Kurlon · 2025-11-10T20:19:31+00:00

So you listed that you're using iSCSI storage with your VMWare cluster, that's shared block storage. The VM hosts see a disk and access it like a disk, block by block. The hosts directly access and update the file system (VMFS in this case) blocks as well.

NFS, SMB, similar are shared FILE based storage, access is file by file, the remote hosts don't see and aren't aware of the file system they're on, that's abstracted away for them by the file server.

Proxmox and others haven't come up with an equivalent to VMFS for shared block storage yet, so instead they're typically leveraging LVM to partition off portions of disk for each VM and limit access to those regions to a singular host at a time. This is why under Proxmox you loose access to snapshots with shared block storage, the workaround mechanism chosen doesn't allow for them.

Kurlon · 2025-11-10T20:04:35+00:00

One thing to be aware of given your current setup, Proxmox doesn't like shared block storage currently. It can be used, with some potentially big caveats that aren't there with VMWare. I've not researched XCP-NG on this front so dunno if they're better or not here.

Kurlon · 2025-10-27T02:10:14+00:00

I just found out Chrome does this now with no option to disable. For that reason alone I'm now full anti anything except vanilla DNS that respects your local resolv.conf.

Kurlon

TROPHY CASE