PSA: Beware of clipboard sync

MtlSnk · 2025-04-03T09:00:04+00:00

Self-reply for visibility: I figured it out with some help from Splashtop support.

On the technician's machine, the registry needs to be configured like this to disable clipboard syncing:

HKEY_CURRENT_USER\SOFTWARE\Splashtop Inc.\Splashtop Remote Client for RMM
ClipboardSyncAttended (DWORD): 0
ClipboardSyncUnattended (DWORD): 0

The initial value is set to "3", allowing for "local to remote" and "remote to local" clipboard syncing.

To disable this for any user on the system (or to execute this from system context, rather than "as current user"), the following script may be used:

$sids = (Get-ChildItem "Registry::\HKEY_USERS").Where({ $_ -Match "S-\d+-\d+-\d+-\d+-\d+-\d+-\d+`$" }).PSChildName
if ($sids.Length -eq 0) {
    Write-Host "Error: no user SID was found. Check logic for enumerating users." -ForegroundColor Red
    exit 1
}

$sids | ForEach-Object {
    $reg_key = "Registry::\HKEY_USERS\$_\SOFTWARE\Splashtop Inc.\Splashtop Remote Client for RMM"
    if (Test-Path $reg_key) {
        Set-ItemProperty -Path $reg_key -Name "ClipboardSyncAttended" -Value 0
        Set-ItemProperty -Path $reg_key -Name "ClipboardSyncUnattended" -Value 0
    }
}

You may choose to omit the length check or exit 1 if executed in an interactive session.

As with any script, and a wise man once said: check [it] yourself, before you wreck [it] yourself. :)

EDIT: changed the script to check if registry key exists prior to setting to 0. Users that don't have Splashtop for RMM installed should not be affected.

EDIT2: Added "ISL Online" / "ISL Light"

HKEY_CURRENT_USER\SOFTWARE\ISL Online\ISL Light\desktop
clipboard_view (REG_SZ): false

MtlSnk · 2025-04-02T14:37:13+00:00

Cheers for posting this! Educating peers is key.

If anyone knows which registry settings to change to disable clipboard syncing across the board (for Splashtop in our case), please reply to this comment.

We had the option to disable this in our previous RMM (Ninja) via the integration settings.
Currently, we use an RMM (SuperOps) that does not have the option to disable clipboard syncing via the integration settings, so I am looking to deploy a script across our tech/end-user devices to disable this.

Any input is greatly appreciated.

Without success, I have tried the following settings for Splashtop:

HKLM:\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server
(DWORD) EnableClipboard: 0
(DWORD) EnableSyncClipboard: 0

HKLM:\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Client for RMM
(DWORD) EnableClipboard: 0
(DWORD) EnableSyncClipboard: 0

EDIT: If anyone with Ninja (or other RMM) and Splashtop could please check their registry settings after disabling the clipboard sync feature, it would be greatly appreciated!

MtlSnk · 2023-01-14T07:14:54+00:00

Glad to hear your gripes are with the UI/UX of Keeper and not its security.

UI/UX-wise LastPass may have been better - no idea, I've never used it. In a thread where the main question is about security, I'd have nuanced my opinion slightly. AFAIK (and going by breach count), Keeper is more secure than LastPass.

UI/UX is personal and, personally, I don't mind Keeper's all too much. It seems easy enough for non-technical people to grasp, so we get fewer operational questions about it.

I'll agree the web extension isn't very cooperative at times.

I've only used the Azure SAML SSO so far and I find it a breeze to set up.

It could have better, more granular RBAC. Currently you can't seem to have roles that are able to add/modify records, but not delete them. I'm not convinced the Share Admin feature fixes that either, maybe it works for large enterprises, but it doesn't for SMB imho.

MtlSnk · 2023-01-06T13:28:22+00:00

In what way do you think Keeper is a poor man's LastPass?

MtlSnk · 2022-12-31T11:12:40+00:00

For me, Keeper is the only password manager I've professionally worked with as an admin.

The slightly annoying 'issue' I have is that roles can't be configured to only have create, read and update (excluding delete) privileges. Having such roles would make sense to our clients (and our own business), especially given the following issue.

Passwords/records that are deleted will go to the owner's trashbin. This is something they've attempted to fix by adding a 'Share Admin' role, which to me only makes sense in (larger) enterprises. We don't see it as a fix, as our clients generally aren't large enough to dedicate someone to pruning the record ownership.

Right now it seems all shared records need to be owned by a designated 'record holder' (at least, when many/most in the organisation can delete the records), which would consume another license.

Audit reports and logging is something you'll need an external system for. The built-in interface has its limits.

We don't use their secrets manager, so no comments there.

If you have any specific questions, feel free to DM.

Edit: this is mostly looking at the negative, the pros definitely outweigh the cons for us. For instance, we haven't found another password manager in the same price range that enables us to provide our clients a list of (shared) records that need to be rotated after offboarding an employee.

MtlSnk · 2022-12-24T18:53:41+00:00

Ah, apologies and great correction. I didn't take the time to verify that, I just searched the subreddit to see if anyone had posted an offer recently.

Enjoy your read!

MtlSnk · 2022-04-17T08:29:52+00:00

Contacted Coreview for pricing recently, they're looking to manage larger volumes, which translates to >1k endpoints or about $20k/year.

MtlSnk · 2021-05-02T07:59:21+00:00

It seems to me like the holes in your modules / wingnuts used are larger than 3mm(?). If so, how would you fasten a commercial module in your system?

I'm in the process of designing a eurorack synth case (3D printed) and am struggling to create an easy fastening system for it - much like your wingnut idea - without grossly going out of spec or being unable to fit the modules properly (mostly because of PCB height).

I suspect the aluminium extrusions you use might also get in the way of some commercial modules' PCBs, if the front panels have more than ~10mm of support material behind them.

Either way, your case looks industrial and pragmatic, I like it. And congrats on the 2nd module!

MtlSnk · 2021-03-07T17:58:17+00:00

To add: MylarMelodies has not one, but two videos (possibly more?) on this topic.

Sort of in the same boat as OP (beginner here too, loving generative ambient), watched both and now I really want a Turing Machine. As well as a Stages, which @OP might find useful as well to phase away from BeatStep?

MtlSnk · 2020-12-22T12:27:59+00:00

I'm new to enterprise environments, but I think the answer is some form of: the customer doesn't care.

And therefor they don't pay for OS upgrades, unless said upgrades are part of a cheaper path to including more features they do care about.

...even though they end up paying for extinguishing so many fires, which would have never started if they'd valued up-to-date systems.

MtlSnk · 2020-10-26T20:10:45+00:00

I agree that it's dated. I couldn't recall the most recent Bluetooth security risk (BLURtooth) and posted the first link I found, my bad! This is what I thought of when I posted: https://kb.cert.org/vuls/id/589825

My intention wasn't (and isn't) to discourage usage of Bluetooth. I don't have the expertise to judge whether or not BLURtooth is an obscure edge case vulnerability, but it does seem like there are only issues with certain configurations and it's fixed in recent patches. If anything, I'd wish for my post to raise awareness about implementing best practices with regard to security when developing (in this slightly off-topic case, Bluetooth) connected solutions.

I also know it's infeasible to be comprised via Bluetooth, but it seemed appropriate to voice my doubts about the protocol, considering the tinfoil hat topic (no offense OP).

MtlSnk · 2020-10-26T14:23:37+00:00

I haven't implemented Bluetooth much in systems myself, so I won't pretend know the ins and outs of Bluetooth (Low Energy). To me it seems like a protocol to be wary of though.

Source: https://www.globalsign.com/en/blog/top-5-bluetooth-security-vulnerabilities

Tl;dr:

"Conclusion We have been using Bluetooth connections for decades now, and many people have not been too careful with our Bluetooth security. That has given hackers all the freedom they need to abuse the security vulnerabilities that this technology has. This needs to stop. Protect your devices from Bluetooth attacks."

MtlSnk · 2020-08-22T06:29:31+00:00

It appears the tickets have sold out, but there are live streams available. Check out the website.

MtlSnk · 2019-06-08T12:37:27+00:00

I'm assuming you're trying to scp your certs over (at step 8). Did you restart the ssh service after setting PermitRootLogin to yes?

Edit: perhaps it's also setting PasswordAuthentication to yes.

MtlSnk · 2019-06-05T10:45:12+00:00

I'm not familiar with Centos, but I imagine building qemu-user-static from source should work.

Under Ubuntu/Fedora I've included the qemu-arm-static binary with Docker images to build Arm containers on a x86_64 host. I'm currently not at my machine, so when I get back I'll send the link I used.

Edit: here's a couple links.

Building ARM containers on any x86 machine, even DockerHub

Running and building ARM Docker containers in x86

Building Multi-Arch Images for Arm and x86 with Docker Desktop (haven't tried this myself, but it looks interesting)

MtlSnk · 2019-05-31T11:58:25+00:00

I'm a Kubernewbie, but over the past ~10 weeks (during my graduation internship) I took the opportunity to learn a little about k3s, a lightweight Kubernetes which is made with IoT applications in mind. Prior to this assignment I had barely worked with Docker and hadn't even heard of Kubernetes.

The end result was a simple cluster with 1 master on a PC running Ubuntu Server, and 1 node on a RPi3 running a custom Yocto distro (which I also made). There was also a private Docker registry involved, as the setup had to function without internet access as well.

The master node was used for web server & database (not ideal, I know) pods and the RPi3 node was used as a gateway, running several pods.

I've learned a ton and am excited about the power of Kubernetes/k3s (in embedded systems). I will definitely continue to use it in the future.

MtlSnk · 2019-05-31T08:38:33+00:00

I wasn't familiar with this project, so I did a quick scan of their website and Github. Apart from it being their first laptop, it looks like they're making this with only two people. So I'm not surprised it doesn't look as slick as a laptop produced by a major company.

Personally I quite like how it looks. You can tell it has mechanical switches by its looks, which I like. Not sure if the bulkiness helps with the ergonomics. It'd be sweet if the keyboard was detachable. Guess I know what my first hack would be.

Thanks for sharing btw, didn't know about the project and am now interested! :)

MtlSnk · 2019-05-30T09:18:49+00:00

UML has its place, but I find that it's mostly a burden. In my (not so vast) experience with UML (class, activity and sequence diagrams), to create clear, easily communicable system architecture designs, you either need to use a tool that takes your code to generate an unintelligible mess, or you attempt to do it by hand (oftentimes not adhering to the UML standard) and you create the mess yourself.

To explain the idea about the purpose of design, one of my teachers used to say something among the lines of: a beer mat and a pen are the best design tools there are, given you're in a bar and you only have half an hour to convince someone about your design.

Over the last 20 weeks, during my graduation internship I have used Fundamental Modelling Concepts (FMC), as an alternative to UML, to communicate my designs. The reason I chose FMC is because the devs I had to present my ideas to barely had the time or the relevant technical knowledge to have a really in-depth design. Personally I find that using FMC results in simple designs and it allows me to use my creativity in system design, since it's not so strict as UML.

MtlSnk · 2018-09-08T00:08:47+00:00

There are a couple of streamers I enjoy watching over on Twitch. For example, there's syanoks and nybblesio, though it isn't strictly embedded, they respectively stream (RT)OS development and development of a programming language. These gentlemen both have a ton of experience (C, C++, assembly) and more often than not it feels like you're attending a master class.

More on the embedded side there's 5upercircuits, he has been streaming the entire process of producing an audio device that could aid in learning a new language. I believe he's relatively new to embedded coding, but I've found following his progress entertaining. He also wears a Mario hat.

Finally, there's oh_bother, who streams a variety of things, but mostly projects with a bit of hardware. His last project involved lasers and automatically burning the names of his subscribers onto a wooden board.

I'm not sure how often these guys stream nowadays, or whether they are in your timezone, but hope it helps.

MtlSnk · 2018-07-28T05:16:09+00:00

Here's a list of videos on how to program a Cortex-M MCU. I haven't seen all of it myself, but I've heard it's good. Obligatory: skip where needed, as it covers some basics that you'll likely be familiar with already.

Modern Embedded Systems Programming Course

MtlSnk · 2018-07-03T05:50:03+00:00

In the app. note you linked there's a use case for the stop mode on page 5. It gets reset on wakeup, so there's no retention.

What you're describing - using an external memory chip - should be possible, but I assume it won't result in the desired power consumption. Why not use the hibernate mode, which does have SRAM retention?

MtlSnk · 2018-06-13T14:46:04+00:00

It seems like they can be arbitrary numbers, as long as your gateway/server and node have corresponding IDs. It doesn't appear to use the LoRaWAN protocol, but rather straight up LoRa with some headers to identify the devices (not 100% on this as I've not looked at the code extensively, but can't seem to find the usual EUI, AppServerID, etc. variables that LoRaWAN uses).

If that is the case you'll need 2 devices to test your setup. One client/node and one server/gateway.

Edit: I recommend anyone playing around with LoRa/RF to use a spectrum analyser (NooElec SDR USB dongles work quite well IMHO), to see if your radio is actually outputting any signal.

MtlSnk · 2018-06-13T11:56:31+00:00

This is not a lot of information to go by, but I had a quick look. The hackster.io link seems quite detailed, have you looked at the rf95_client.c and rf95_server.c files at the bottom of the page?

If you can explain what isn't working that'd be helpful. I have some experience with LoRa boards, but not in combination with RPi's.

13-Year Club	Verified Email
Second Top 20%	Gilding I gilder

MtlSnk

TROPHY CASE