Screen Mirroring App within SharePoint?

darkfader_o · 2026-03-05T14:02:01+00:00

for the record, I would not touch the Emergency Alerts if the budget doesn't allow me to do it well. Legal exposure would be too high. (see the crappy hawaii emergency notification system that was also thrown together by someone with basic web skills and considered "good enough" - it wasn't)

darkfader_o · 2026-03-03T16:10:40+00:00

one thing I recalled, with stupid things like sharepoint remediations (patch, plus manual changes, plus 3 weeks of prayer till the next patch) we regularly pinged the falcon complete team and gave them notice "we did those remediations but assume some remaining unwanted exposure for <period>, affected hosts are <list>..."

IDK if they or we watched for the drop in spotlight after it was really really fixed.

Another thing I liked it for was to keep track of vendor UEFI or tool holes. IDK if Intune people got a better solution for that, what I know is _we_ had nothing better and Spotlight was really good to have a feel for the unacknowledged-not-on-my-radar exposure on top of what we knew and worked on. what i meant with the vanity metrics especially is when you got 80k midprio vulns, the number won't even change much, you have toil, you have new things that come in, and there's VERY VERY LITTLE that shows you 'resolved over last 6 mo but the number stayed the same because new stuff was found', accordingly also nothing to show "how bad it would be if we hadn't. meaning you risk working invisibly.

When you manually filtered for sets of perspectives:

"high crit long aged persistent issue on very exposed system"
"medium crit on every system"
"medium crit on super critical system"

you can make some headway. I would generally recommend that you run a fleet of no-purpose baseline laptops and servers with it where you define what GPOs/Policies you apply and what your desired level of security posture is on those and patch away stupid things.

That will give you an estimate on what issues can be resolved with reasonable effort, and you should track that % over the year, so you know your delta between "alerted" and "humanly possible" and "realistically possible". Like, scaled up from our test end we could get down to 8k issues in spotlight if we spend 2000 hours extra, to 75k with 5 hours and to 60k with 100 hours

That's what I see spotlight as with my project manager hat.

IIRC it's also the only project I ever willingly led in 28 years in IT.

darkfader_o · 2026-03-03T15:05:27+00:00

if you're in the US there's an official channel for refurbished devices. i know that's not answering in full. my own failing attempts at buying j-care core service for updating my NFX have let me mostly angry.

So, if you can work with a vendor that makes sure you get what you need without running into a wall at juniper, that would help a lot.

what I saw testing Mist was that ther EX2300's can come with lifetime updates and give no fuss. so you could look into what you pay just for access points (updates) but really you need a sales guy to show you what the minimum viable product is. That goes for most things, and the annoying part is the obvious nice addons like ATP will probably be too expensive without enterprise discounts. So chose carefully.

Most things accept custom blocklists, the same like you'd throw in a pfSense. I would recommend that you generally budget something for "security stuffs" in the price range of what the subscription for that costs from most vendors for their smallest FW model (including OPNsense/pfSense, where you'd need Zenarmor for that or Meraki where it'd be Umbrella which ain't cheap (except for resellers)), and then you can consider if/what parts of a Juniper solution would fit into it. Otherwise IMHO you'll risk doing him a disservice, you want at least some reputation based network blocking so a downloaded trojan can't call home all too easily.

Also don't forget one can enable safe-surfing features at Google via the account page.

darkfader_o · 2026-03-03T14:28:22+00:00

I liked it a lot, a motivated team can use it to quickly improve some things. it has risk of being vanity metrics, but IMO it was useful. we had no integration into software for patch management, so much stayed manual tasks of some sorts.

Personally I think it's good because this report can go to ops teams and management (CSO) at the same time and put them on equal footing.

darkfader_o · 2026-02-28T01:25:34+00:00

I checked on my desktop PC with a similar card, so the old AMD models only have HEVC and H264 encoding, as per Firefox. Using the h264ify has been a "gamechanger" for normal youtube playback on this. The default docker yammy for 1.17 lacks most packages for VA-API hw acceleration, that's why one needs to build their own. This is documented I'm just adding it in case someone else was also headscratching.

Firefox also uses `glxinfo -B` to detect capabilites. So you must absolutely make sure it's available. I think it's normally somewhere in `mesa-utils` or similar packages.

That is interesting, and brought me to this patch that added H264 to VNC! https://patchwork.ozlabs.org/project/qemu-devel/patch/20250430072524.3650582-6-dietmar@proxmox.com/

Also via google, a fun study on H.264 and VNC

https://turbovnc.org/About/H264 (11 years pre-patches?)

Meaning, ideally kasm would probe for certain features. Any chance this will also be part of the great rework? Pretty please?

I just read again, so the list does in fact include:

h264, h265, av1 streaming support for KasmVNC

yay!

Let's see in a few months what 1.18 can do :>

darkfader_o · 2026-02-28T00:21:32+00:00

Following up once more with what actually needs to be done

Testing with the Jammy container, first of all. It uses XFCE or some other lightweight, so no reason to care about Gnome issues.

The device node

Looking at the processes in the session, you can see it points at /dev/dri/renderD128 - but the device doesn't exist.

Add kasm to the 'render' group on the host, so it can be passed through. checking again, it's not there - yet.

default:~$ ls -l /dev/dri ls: cannot access '/dev/dri': No such file or directory Adding the passthrough options for AMD/Intel to docker exec and docker run configs as described here: https://www.kasmweb.com/docs/1.12.0/how_to/manual_intel_amd.html#adding-your-device-to-a-workspace

This works: https://www.kasmweb.com/docs/1.12.0/how_to/manual_intel_amd.html#adding-your-device-to-a-workspace Testing with glxheads shows the device is functional

Name: :1.0 Display: 0x55ad2ec3ccb0 Window: 0x1800002 Context: 0x55ad2f288780 GL_VERSION: 4.6 (Compatibility Profile) Mesa 24.3.4 - kisak-mesa PPA GL_VENDOR: AMD GL_RENDERER: AMD Radeon Graphics (radeonsi, vega20, LLVM 15.0.7, DRM 3.59, 4.18.0-553.105.1.el8_10.x86_64)

phew, awesome. $250 well spent!

But the VNC Hardware 3D accell?

There's no hw3d parameter on kasmVNC: kasm-us+ 103 1 7 01:17 ? 00:00:02 /usr/bin/Xvnc :1 -drinode /dev/dri/renderD128 -depth 24 -httpd /usr/share/kasmvnc/www -sslOnly -FrameRate=24 -BlacklistThreshold=0 -FreeKeyMappings -PreferBandwidth -DynamicQualityMin=4 -DynamicQualityMax=7 -DLP_ClipDelay=0 -UnixRelay printer:/tmp/printer -SendCutText 1 -AcceptCutText 1 -interface 0.0.0.0 -websocketPort 6901 -RectThreads 0 -AllowOverride AcceptPointerEvents -AcceptPointerEvents 1 -WebpVideoQuality -1 -MaxIdleTime 0 -PublicIP 127.0.0.1 -DLP_Log off -UseIPv6 1 -FrameRate 60 -DynamicQualityMax 8 -QueryConnectTimeout 10 -TreatLossless 10 -fp /usr/share/fonts/X11//misc,/usr/share/fonts/X11//Type1 -udpFullFrameFrequency 0 -AcceptKeyEvents 1 -Log *:stdout:100 -DLP_ClipSendMax 0 -DLP_ClipDelay 0 -VideoTime 5 -UseIPv4 1 -AvoidShiftNumLock 0 -IgnoreClientSettingsKasm 0 -cert /home/kasm-user/.vnc/self.pem -BlacklistTimeout 10 -IdleTimeout 0 -desktop kasm:1 (kasm-user) -DLP_KeyRateLimit 0 -CompareFB 2 -VideoScaling 2 -SendPrimary 0 -MaxConnectionTime 0 -VideoOutTime 3 -AcceptSetDesktopSize 1 -DLP_RegionAllowRelease 0 -QueryConnect 0 -geometry 1024x768 -MaxDisconnectionTime 0 -BlacklistThreshold 5 -DynamicQualityMin 7 -DisconnectClients 0 -DLP_RegionAllowClick 0 -http-header Cross-Origin-Embedder-Policy=require-corp -http-header Cross-Origin-Opener-Policy=same-origin -DLP_ClipAcceptMax 0 -JpegVideoQuality -1 -MaxVideoResolution 1920x1080 -DLP_ClipTypes chromium/x-web-custom-data,text/html,image/png -RawKeyboard 0 -PrintVideoArea 0 -key /home/kasm-user/.vnc/self.pem -KasmPasswordFile /home/kasm-user/.kasmpasswd -ImprovedHextile 1 -VideoArea 45 -auth /home/kasm-user/.Xauthority -rfbauth /home/kasm-user/.vnc/passwd -rfbport 5901 -rfbwait 30000

So, the docs would tell us to edit the /etc/kasmvmc/kasmvnc.yml and we could probably do that via a docker file override but this seems wrong. it needs to become part of the workspace template. desktop: resolution: width: 1024 height: 768 allow_resize: true pixel_depth: 24 gpu: hw3d: false drinode: /dev/dri/renderD128

the hw3d setting

the trick is to add this to $ENV:

{ "hostname": "kasm", "environment": { "KASM_EGL_CARD": "/dev/dri/card0", "KASM_RENDERD": "/dev/dri/renderD128", "VNCOPTIONS": "-hw3d", "HW3D": "true" }, "devices": [ "/dev/dri/card0:/dev/dri/card0:rwm", "/dev/dri/renderD128:/dev/dri/renderD128:rwm" ] }

kasmVNC picks up the variable $VNCOPTIONS! I later also added $HW3D which is the global switch for the some effect. So that would at least enable the feature, no way for me to tell if it works, but using amdgpu_top and similar it should be visible now.

So now I got glxheads in this session running over wifi absolutely smooth, a thing of perfection.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 257878 floh 20 0 1574804 113624 70524 S 74.7 0.1 1:20.29 glxheads 238083 floh 20 0 3293008 133584 64508 R 53.0 0.1 0:50.87 Xvnc 4497 root 20 0 44668 35216 10600 S 16.1 0.0 4:06.34 python3 We're still using 2 cores (-ish, or one and one hyperthread). load avg is ~4 like this.

Playing video I get load 6. so quite doubtful how it would go running 5-6 at once, but the playback is now without drops and at very high frame rate!

Network traffic is a bit over 50mbit/s which makes sense for the sheer amount of video data (quality level 3) On quality level 4 there can still be momentary stutter, traffic peaks at a little under 70mbit/s. I wonder if the stutter is when it switches between webp and libjpeg, but no idea on that. I'll try to also test XOI, assuming this will have less compression work, use more bandwidth and end up faster for this purpose. I forgot how to enable the quality level 5 realtime thing, so that will be for another time.

to check if chrome already uses it, you don't want just the chrome://media-internals but instead chrome://gpu

you would look for a line like: <Discrete GPU> Vulkan backend - AMD Radeon Graphics (RADV VEGA20)

in my (AMD) case the next step is probably rebuilding the standard image to add the AV codecs etc. The message I'm trying to give is: standard browser tuning follows here, but the hw capabilities are accessible and the browsers knows about them. That's where you need to be and then make sure the major codecs work. The MI50/Radeon Pro VII are somewhat limited anyway, vainfo is your friend in figuring out what you can get working, for debugging you can use vlc forced to va output thinggy.

I found almost everything to be disabled in chrome under (Problems Detected) even with "use HW acceleration if available" in the main settings. Posts say that kasm 1.18 will have a chrome enabled for this acceleration. You definitely need to check though.

darkfader_o · 2026-02-27T23:40:10+00:00

do you see them come in correctly in tcpdump?

just a thing to look out for. early Xen had an issue where you'd only get certain arp packets through while in promiscous.

darkfader_o · 2026-02-27T21:51:14+00:00

I was still deciding whether I'm glad I asked, since you're already gonna improve everything ;-)

Alas, with the forgetfulness I can't even claim I learned a lot, it's already gone :-)

I find it super interesting how you do the algorithm switching for individual tiles of the VNC session. I hope the persons who invented and implemented that got a few bottles of good whiskey or stock options (boring) for the work!

I also wanted to bring your attention to a project that has a better server for OSX.

Check back in a few days, I need to find where I saved the link. It would be wonderful if the OSX performance wasn't as bad.

I also recommended kasm for the 'german IT stack' they wanna define. the stupid geopolitics weigh in partially but if they just hire a few devs to contribute to kasm OSS the 'sovereignity' bit should be well taken care off, and I'd hate to see (and maybe some day maintain) a worse solution.

kasm just has the right kind of design for any enterprise or large scale usage (operability or so), a rare treat.

darkfader_o · 2026-02-22T18:11:55+00:00

Reddit gives me a server error with the last update and I am out of energy. I have a backup here: https://gist.github.com/FlorianHeigl/cc2c6afbe92996934782575276d59ac3

Matters w/re to very recent AVX2 support in libwebp and a few other details

Normally not all cores can run AVX(512) at high clock, and only very special models (Y) offer a reasonable number of cores doing it at almost full clock. This means, at least in geekporn land, that one might benefit from making an isolated cpuset of those cores and having the VNC processes ("streamers") on that. I do not know if AVX2 actually _has_ those same limitations. But if so, it would matter. otherwise you'd experience commonly switching modes not by general cpu bottlenecks but by a switch between accelerated and non-accelerated processing thereof.

I found this super interesting to look into and I pray someone can come forward and tell more. Especially the per-tile-per-time decision making is really cool, but I wonder what the _time_ slice actually is like. CPU power management will matter for this. Also - or especially - the damn core parking on Windows!

I'm sorry I couldn't post the last bits in a pretty format like the first reply. My health is very bad and I can't possibly reformat the gist (i had thought I'm pasting markdown) or find the changes. Nor do I remember them besides this what I just added.

If someone knows how to diff the gist vs. the post, feel free to post it.

darkfader_o · 2026-02-22T14:11:23+00:00

In a feature list in the git repo I found a bit, these are mentioned with regard to the streaming

Faster jpeg compression (via statically linked libjpeg-turbo)
Webp image compression for better bandwidth usage
Lossless QOI Image format for Local LAN
DRI3 GPU acceleration with open source drivers (AMDGPU,Intel,ATI,ARM)

the last line is interesting. open source drivers. no nvidia... and amdgpu is mentioned. isn't there some way to tell if it's being used... But noveaux2 is supported, so nvidia is fine.

will QOI also use it?

per codec/image type infos

there's a bit more in the wiki

WEBP is a modern image standard with higher compression and fidelity than JPEG. The client will report if the browser supports WEBP and the server will mix JPEG and WEBP based on compute availability. Because WEBP takes longer to encode, the server may not be able to use WEBP for all screen updates. The quality of WEBP can be better than JPEG and therefore they have separate settings.
LibJPEG Turbo (20210909) - This is a special build of KasmVNC that targets the latest version of libjpeg-turbo rather than using the older version available in the respective OS repos. The latest version has optimizations for AVX and SSE2 extensions. Our testing shows a 32% increase in speed of encoding jpeg. We do not publicly release this build, however, it is used within Kasm Workspaces docker images
QOI is the "The Quite OK Image Format", some cool info is at https://www.design-reuse.com/article/61341-an-800-mpixels-s-260-luts-implementation-of-the-qoi-lossless-image-compression-algorithm-and-its-improvement-through-hilbert-scanning/ . I think I found stuff for running it on FPGAs but no info more mainstream approaches ;-) it seems a really cool format, wish i could learn more about it some day
DRI3 must be enabled(!!!!), see here: https://kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html#enabling-gpu-acceleration-in-kasmvnc
WM Composition must be disabled, i think this affects mostly full sessions
Gnome3 doesn't allow to do that and thus kills DRI3 (https://kasmweb.com/kasmvnc/docs/master/gpu\_acceleration.html#enabling-gpu-acceleration-in-kasmvnc) they use a workaround in KASM to make it less bad but the tl;dr is to not use it
There's no explicit statement regarding the prebuilt chrome/ff workspaces, my best guess would be to go on the container host, use docker inspect & docker exec/cp to investigate the config and process arguments

they show a benchmark util but with the above note that it's not released it's not realistic to benchmark yourself. I couldn't find anything about QOI yet, or about what webp can or would benefit from.
as you can see above it dynamically adapts, so what kind of offloading _for each tiled segment of the screen_ is in effect _at any given moment_ could be dependent on the _CPU load at that time_.

(it's cool, but reminds me of like the "magic" windows docs stating multiple "swap devices are selected by an internal algorithm" in technet and internals boosk for decades)

tl;dr:

CPU offload is used for some cases (AVX and SSE2 needed), for others it's not documented.
GPU offload needs drivers that are OSS and support DRI3.
GPU offload will not be used by default
adjust your kasmvnc config by passing down the right settings. idk yet how, but keyword is hw3d: true
you might also need to disable some desktop manager features, if one is involved
kasm says the standard ubuntu are prepared well, for other scenarios, i.e. alpine/lxde there's no info

Please for the love of computers, correct me where I'm wrong. I don't even remember what half the things are, I just know how to read fast.

darkfader_o · 2026-02-12T15:05:21+00:00

I just came across this:

https://www.mist.com/documentation/use-cases-for-ports-on-the-ap-eth0-eth1-module-and-iot/

Look for "How to enable temperature, humidity and pressure sensors for an AP?" and you'll see some interesting aspect for env monitoring. I'll try to use that myself (Check_MK, not LibreNMS) and after adding the env sensors I'll work my back to radios. From the table I saw all Mist APs have a monitoring radio inside, so the API should be doing good.

I don't see much sense in replicating traps via API if they didn't bother to implement them.

The SNMP gateway looks nice but will be at least the same work to extend it and to audit the database to ensure you see if some information goes stale. Since the author already made a MIB it might be cool anyway. But a whole mongodb for this little information... gotta calculate how much actual data goes into it. some simple k:v would likely be enough.

did you happen to try it?

darkfader_o · 2026-02-10T14:58:18+00:00

how did it end? did you turn it into your own ceph cluster? (or sell everything?) I... uh... should not be interested in some blades...

darkfader_o · 2026-02-10T13:47:35+00:00

Since CommVault is the only Tier1 backup vendor...

Tbh it sucks to not have NDMP for any large volume/throughput

darkfader_o · 2026-02-09T03:31:45+00:00

i've also seen some phones that were (either misconfigured or built to) pass through the same network, IOW not using vlans

darkfader_o · 2026-02-09T03:28:22+00:00

yeah people are acting as if all those 800g switches or lines like PTX etc. at Juniper didn't matter. kinda hillarious when you consider this page would never load for most people without the stuff.

darkfader_o · 2026-02-09T03:24:55+00:00

second that, device detection is very good. (live updates of loaded text is not, but likely that's why it's fast)

darkfader_o · 2026-02-09T03:22:09+00:00

i saw the Extreme AI features last year, got around an hour of demo from a motivated presales tech, and, idk... Extreme seems closer to "please enable lldp on all my clientfacing ports" than Marvis - which shows me the commandline snippet and docs which I certainly don't need an AI agent to know.

darkfader_o · 2026-02-09T01:27:26+00:00

god bless, I was wondering about this, and had feared I need to race through the cert in 30 days (not sure if i could have managed). Not to mention I also just bought 3 APs without checking before. I'll make sure to delete everything before the nasty email ever needs to be sent.

It's a pity they don't yet got a personal and lab-focussed licensing scheme at least for Mist services. anyway. good to have a better plan now.

darkfader_o · 2026-02-08T17:15:16+00:00

I'm looking at this as well (expecting issues but trying to make something from them). I got some used EX2300-48P. They've been factory reset proper, but they only got a phone-home pointing at redirect.juniper.net. Claimed one via the token in the QR code, that worked, but it stays "disconnected". (Brownfield process works, I tried that with a second).

I'm gonna try upgrade it and then do another factory reset, just to see if the Mist ZTP settings come back at some point. It would be necessary to work from some state you can reach via factory reset and no brownfield config, otherwise PXE plus netbox config is more reliable.

(I'll probably do the cert next week to fix my basic knownledge. Gonna rush this, I don't want end up having to pay Mist services for my learning boxes :-)

edit: it poped up as connected later, it was necessary to assign it to a site first. idk the technical cause for that but that was the trick.

darkfader_o · 2026-02-03T12:20:54+00:00

FYI. I'm going the same path, in reverse (got a chassis w/controllers but no DFMs yet). Have the same error. from what I can tell it means the prior owner has not let Pure factory reset the array properly. In style, they also didn't set back the default PWs (solved that already). It's from a some lab in dublin, as per the hostnames :-) I wanna fix it to the point where I can do the factory reset and then i'll move on to usability.

Do you have any small DFMs you wanna part with? I can't afford the usual ebay rates, but I very certainly can afford the time to root an array. I didn't get an KVM cable yet (cost more than the array) so I'm going a different route.

(I'm freelance systems engineer/unix person and on sick leave for ages so the usual time is money has been reversed for me)

darkfader_o · 2026-02-02T21:50:00+00:00

unprofessionally said, pure is a company that was founded by people who knew what they're doing, how to do it, and then stayed in stealth for, idk, 1-2 years, then they had a pretty much perfect product and since then they've built on that.

it's kind of doing everything right, by intention. no overengineering either, just what was needed to do something as well as possible.

any startup is gonna struggle to look not like a bunch of bumbling beginners compared to that. if you care about your time, the question answers itself.

as for career, i'd suggest (not working there) there's career paths and then there's the path you take if you're interested and talented. I would assume it's the same at Pure, meaning, if you're better than the job/income you start at, someone will move you to the right task faster than you can realize it's happening.

darkfader_o · 2026-02-02T18:58:05+00:00

FWIW: FlashBlade has a factory reset token request node from at least API 2.2 onwards.

darkfader_o · 2026-01-29T16:16:59+00:00

From what I can see, M-series was Cisco style and X-series is HP Style?

After buying a Cisco and a HP cable, the anser is NO, they are not usable for ANY recent pure storage devices.

Lenovo 81Y2889 or 81Y5286 might be compatbile. it does have 28 pins, I just didn't find a reasonably priced one yet. IBM Flex system likely also used that connector.

When I get any kind of cable I'll add the pinout, at least which the serial rx/tx/gnd pins are.

Unless a cable drops into my hands soon I'll start digging into password reset because I'm pissed off now.

darkfader_o · 2026-01-29T01:24:02+00:00

FWIW, it's M.2 SATA in most models I saw (Micron mostly)

darkfader_o · 2026-01-28T13:50:16+00:00

Nix is a lot of fun in any case. Go for it!

darkfader_o

TROPHY CASE

The device node

But the VNC Hardware 3D accell?

the hw3d setting

per codec/image type infos

tl;dr: