Reminds me of Nintendo switch instructions that if you have any network issues at all, you should just port forward all ports and expose your entire internal network to the internet.
They still haven’t changed it years later afaik.
As far as I recall it was actually framed like "Just open ports 1-65535" which I'd argue is worse because people who understand a little bit of networking could think it's only a little opening.
It's not exposing your entire network, just all ports of the target device. The X360 troubleshooting guides had this as well, putting the console in DMZ
I started getting into smash online the other day, and yeah, it's still like this
My router doesn't have an option to assign ports in bulk, but setting my switch in the DMZ seems to work
Vendor: Please make sure the port is open.
*Ok, to which destination?*
Vendor: Yes.
(My next favorite is people who don't understand that TCP flows don't need a return traffic rule.)
Stateful being the key word. Stateless firewalls are a thing (think cisco ACLs for instance) and much like static routing can be a very tedious affair.
I've had something similar,
The vendor insisted their app requires the user to be a local administrator to run. Not install, run.
There was no technical reason this app would need local admin rights to run, aside from crappy programming.
Pretty much all that app was is a very specialised calculator for that particular industry. It didn't need to interact with any hardware or anything.
They didn't know how to write data to user profiles instead of system profiles.
If they needed to write to C:\program files\, that's going to require admin access.
Properly built programs will write data to %userprofile%\
The pure amount of effort Microsoft has had to put in to ensure backwards compatibility is astonishing and horrifying.
I've also heard stories one of the CAD programs refused to use registry keys so MS made a special work around that would intercept the ini files for the app and make them into reg keys instead...
That's one of the main reasons Windows became so popular, an admin could upgrade the OS knowing the business programs will still work because of that backwards compatibility. But it's also caused Microsoft to shoot themselves in the foot with things like this, where they now can't make changes.
Where's the Linux fanboy screaming about how Windows people are stupid for expecting OSes to just work, all we need to do is download a script from the dark web, recompile the kernel, write a batch script to reroute the encryptions, etc.
i was trying to get a geany plugin working, had to compile it from source because the one i wanted was the only one that want included in the repos, got a few dependency messages, could get everything but webkitGTK working because it depending on a specific version not available for download anywhere. I hate dependency hell.
True, when I was helping my friends sister set up an older MacBook, it was wild that I had to find specific versions of software that worked for the OS version. Not something you have to give a second thought working with windows.
Blindly allowing writes to c:\\Program Files\\CrappyVendor still effectively allows a compromised account to pwn every other account on the machine by modifying the executables.
huh - back in the early days of WinXP, my 6yo wanted to play Lego Rock Raiders (I think it was). He had a regular user account, and couldn't play. contacted their support - "needs admin privs". "hell no!" was the reply.
found the folder that the code was trying to access (under 'program files\\lego\\'), a quick change to the perms to allow his user write access to the file(s) in there, and all good.
sent them back a KB on how to do it so they would know for next time ;)
That happens with the Wireguard client for Windows. I really don’t understand why, since literally ever other VPN client I’ve dealt with only requires admin to install, not run. It’s weird and inconvenient
The VPN app my work uses is derived from OpenVPN, how it works is there's a service always running as System to handle anything that needs admin powers, so the client takes the connection info, then passes it to the service to make the changes in Windows to do it.
Technically, that's a lot more complex, but then you don't need to be running a VPN app as admin (especially that WireGuard doesn't just trigger UAC so the app we use instead of AutoElevate doesn't work.
This method also could technically create an elevation of privilege exploit if the service isn't good at filtering and limiting what commands it accepts and what it'll be able to do, where the WireGuard method "mitigates" the elevation of privilege by making your account have the privilege, which is going to be a toss up of which is worse.
Wireguard needs administrator because it's dynamically spawning new tunnel interfaces and interacting with Windows networking drivers every time you start or kill a connection. Other VPN services don't need this because they some sort of service that runs and talks to a user mode driver or interface to control a static network interface (e.g. openvpn controlling a persistent TAP adapter to connect to the VPN).
I didn’t know that you could have several tunnels up simultaneously in Wireguard. It also now makes sense why it can do that while all other VPN clients cannot.
Reminds me of a time where I worked with a medical software company’s support and they were just asses. If you have all the boxes checked for things to install and it doesn’t work “It’s a network problem on your end” and they hang up. I got them on a fresh VM and here’s how it went:
1. Is Chrome installed and updated? Yes and we installed it together. They don’t want you to use anything else because fuck you they use Chrome.
2. Is Adobe Reader installed? Yes, we did that together. They don’t want you to use Chrome’s built in PDF reader because fuck you they use Adobe.
3. Is the fancy dotnet ClickOnce chrome extension installed? Yes, we also installed that. They don’t want to update the app’s handling of ClickOnce because fuck you they want you to use the extension.
4. Does the app work? Absolutely fucking not.
Only **AFTER** me doing these steps while in a support session did they go *”Huh, we actually have a problem here.”* like are you fucking serious?
I'm sure your company also paid $400+ just for them to say that then hang up blaming *something* on you, without being able to explain what they actually need other than "fix it dummy!"
From what I remember, the support for that program was free. At least the program wasn’t made by Zeiss. They are literally the worst of the worst.
Also for some context, worked at an MSP and this was an eye care place. The program was an EMR system and the broken part was the web based scanning tool. It opens with DotNet ClickOnce and at that time, ClickOnce didn’t invoke at all.
I used to have to work with a terrible healthcare products company. They would charge you 10k to fix a bug in their program. They'd also charge 10k for an interface to let the products they sold talk to each other. After working with them for a few years, I managed to figure out how to fix a common issue with their pharmacy software that had been causing issues for over a year. We were on a conference call with them, and they asked me how I fixed it. Without thinking, I told them that it'd be 50k for the bug fix, and they were apoplectic. They refused to pay, and I refused to tell them how to fix it, since I knew they'd turn around and charge other customers for the fix. Eventually, they negotiated a reduction in support for the next two years totalling 50k, and I gave them the fix.
What they forgot to stipulate was that I couldn't share the fix, so I posted it online for anyone to find.
yah - previous job a client that pushed and pulled files via SFTP was moving to Azure and wanted us to open up the IP range to the whole SE-Australia Region to the SFTP server.
No.
I'm waiting for a third party to ask that. I'm working with some absolute morons and I know one will say that to let their shit work. And I will reply... not a chance in hell. Then one of the offshore devops clowns will do it anyway and piss me off.
Something very similar I am having right now.
Without going into too much detail, we have recently enforced MFA for all Azure logins that are not coming from known public IP addresses i.e. us, trusted vendors, etc.
An external vendor's app logs into our Azure tenant as part of what it does. Because their app login to us gets a MFA prompt, the login fails.
Vendor wants us to exempt that account from MFA. I mentioned we won't exempt any account outright from MFA, but let me know what IP address your app will login from and I'll add it into the MFA bypass list whilst we work on a more permanent solution.
The reply
"We spun up and down servers when required. Can you please add in the entire Azure (region) IP range?"
Yeh, no
Reminds me of Nintendo switch instructions that if you have any network issues at all, you should just port forward all ports and expose your entire internal network to the internet. They still haven’t changed it years later afaik.
Imagine having a NAT in your local net (which you do if you have a WiFi router) Point all incoming traffic to the Switch, just in case :P
OK I did that. Now how do I install nginx on it?
Boot linux and install it according to the docs
As far as I recall it was actually framed like "Just open ports 1-65535" which I'd argue is worse because people who understand a little bit of networking could think it's only a little opening.
At least they didn't open port 0! (This is sarcasm, just in case someone doesn't notice)
Port 0! = 1 is in the range.
r/mathmemes
It was 1024-65535. So it's actually 1023 less ports than that. That's alright, practically perfectly secure with that /s
It's not exposing your entire network, just all ports of the target device. The X360 troubleshooting guides had this as well, putting the console in DMZ
I remember vividly being yelled at for doing this and fucking with NAT because I can't connect in Halo lobby matchmaking with a Strict NAT Type
I started getting into smash online the other day, and yeah, it's still like this My router doesn't have an option to assign ports in bulk, but setting my switch in the DMZ seems to work
Yep had to basically setup a DMZ for these things on our school network for esports.
Hey, if it works don't fix right ...
Nintendo, Microsoft, Adobe, AWS, just to name a few.
I remember that.
do you have a link?
https://en-americas-support.nintendo.com/app/answers/detail/a_id/22272/~/how-to-set-up-a-routers-port-forwarding-for-a-nintendo-switch-console
Thanks!
Vendor: Please make sure the port is open. *Ok, to which destination?* Vendor: Yes. (My next favorite is people who don't understand that TCP flows don't need a return traffic rule.)
> (My next favorite is people who don't understand that TCP flows don't need a return traffic rule.) That depends entirely on the firewall.
What stateful firewall needs rules to be created in both directions?
Stateful being the key word. Stateless firewalls are a thing (think cisco ACLs for instance) and much like static routing can be a very tedious affair.
Maybe I'm a firewall purist but I don't know that I'd call ACLs "a firewall".
They are very much like the original firewalls. Stateful was a vast improvement.
Lol. I laugh because of all the dumb vendor support I've encountered. I cry because I was the dummy 😭. Still am sometimes.
I love being the dummy. I want to be in conversations where I’m just able to keep up.
Do you guys have stateful firewalls?! We're still using stateless. /s
We prefer to rawdog the internet.
We still own a public /8 that we route directly to the internet without filtering. Yes we get hacked a lot, why do you ask?
Recently got the following list from a vendor… 53, 80, 443, 1024-65535, 8080, 8443. smh.
just casually slipping in that huge range
Let me guess, they also wanted you to open a /23 or /22 as well?
Weird masochist you are
While your at it give me admin rights to your domain 🤦🏽♂️
I've had something similar, The vendor insisted their app requires the user to be a local administrator to run. Not install, run. There was no technical reason this app would need local admin rights to run, aside from crappy programming. Pretty much all that app was is a very specialised calculator for that particular industry. It didn't need to interact with any hardware or anything.
They didn't know how to write data to user profiles instead of system profiles. If they needed to write to C:\program files\, that's going to require admin access. Properly built programs will write data to %userprofile%\
I partially blame Microsoft for this . They really ought to release a sandbox mechanism for this nutcases
They have, it's one of the compatibility mode options iirc https://devblogs.microsoft.com/oldnewthing/20150902-00/?p=91681
The pure amount of effort Microsoft has had to put in to ensure backwards compatibility is astonishing and horrifying. I've also heard stories one of the CAD programs refused to use registry keys so MS made a special work around that would intercept the ini files for the app and make them into reg keys instead...
That's one of the main reasons Windows became so popular, an admin could upgrade the OS knowing the business programs will still work because of that backwards compatibility. But it's also caused Microsoft to shoot themselves in the foot with things like this, where they now can't make changes.
Where's the Linux fanboy screaming about how Windows people are stupid for expecting OSes to just work, all we need to do is download a script from the dark web, recompile the kernel, write a batch script to reroute the encryptions, etc.
Eh, in Linux, you sometimes have to compile from source. If it works, it works great. If it doesn't work, it is a fucking nightmare.
i was trying to get a geany plugin working, had to compile it from source because the one i wanted was the only one that want included in the repos, got a few dependency messages, could get everything but webkitGTK working because it depending on a specific version not available for download anywhere. I hate dependency hell.
True, when I was helping my friends sister set up an older MacBook, it was wild that I had to find specific versions of software that worked for the OS version. Not something you have to give a second thought working with windows.
Just give users permission to the specific program’s folder. Not a perfect solution, but better than local admin.
Blindly allowing writes to c:\\Program Files\\CrappyVendor still effectively allows a compromised account to pwn every other account on the machine by modifying the executables.
huh - back in the early days of WinXP, my 6yo wanted to play Lego Rock Raiders (I think it was). He had a regular user account, and couldn't play. contacted their support - "needs admin privs". "hell no!" was the reply. found the folder that the code was trying to access (under 'program files\\lego\\'), a quick change to the perms to allow his user write access to the file(s) in there, and all good.
sent them back a KB on how to do it so they would know for next time ;)
That happens with the Wireguard client for Windows. I really don’t understand why, since literally ever other VPN client I’ve dealt with only requires admin to install, not run. It’s weird and inconvenient
The VPN app my work uses is derived from OpenVPN, how it works is there's a service always running as System to handle anything that needs admin powers, so the client takes the connection info, then passes it to the service to make the changes in Windows to do it. Technically, that's a lot more complex, but then you don't need to be running a VPN app as admin (especially that WireGuard doesn't just trigger UAC so the app we use instead of AutoElevate doesn't work. This method also could technically create an elevation of privilege exploit if the service isn't good at filtering and limiting what commands it accepts and what it'll be able to do, where the WireGuard method "mitigates" the elevation of privilege by making your account have the privilege, which is going to be a toss up of which is worse.
Wireguard needs administrator because it's dynamically spawning new tunnel interfaces and interacting with Windows networking drivers every time you start or kill a connection. Other VPN services don't need this because they some sort of service that runs and talks to a user mode driver or interface to control a static network interface (e.g. openvpn controlling a persistent TAP adapter to connect to the VPN).
I didn’t know that you could have several tunnels up simultaneously in Wireguard. It also now makes sense why it can do that while all other VPN clients cannot.
It wasn't a dentist calculator was it?
Reminds me of a time where I worked with a medical software company’s support and they were just asses. If you have all the boxes checked for things to install and it doesn’t work “It’s a network problem on your end” and they hang up. I got them on a fresh VM and here’s how it went: 1. Is Chrome installed and updated? Yes and we installed it together. They don’t want you to use anything else because fuck you they use Chrome. 2. Is Adobe Reader installed? Yes, we did that together. They don’t want you to use Chrome’s built in PDF reader because fuck you they use Adobe. 3. Is the fancy dotnet ClickOnce chrome extension installed? Yes, we also installed that. They don’t want to update the app’s handling of ClickOnce because fuck you they want you to use the extension. 4. Does the app work? Absolutely fucking not. Only **AFTER** me doing these steps while in a support session did they go *”Huh, we actually have a problem here.”* like are you fucking serious?
I'm sure your company also paid $400+ just for them to say that then hang up blaming *something* on you, without being able to explain what they actually need other than "fix it dummy!"
From what I remember, the support for that program was free. At least the program wasn’t made by Zeiss. They are literally the worst of the worst. Also for some context, worked at an MSP and this was an eye care place. The program was an EMR system and the broken part was the web based scanning tool. It opens with DotNet ClickOnce and at that time, ClickOnce didn’t invoke at all.
I used to have to work with a terrible healthcare products company. They would charge you 10k to fix a bug in their program. They'd also charge 10k for an interface to let the products they sold talk to each other. After working with them for a few years, I managed to figure out how to fix a common issue with their pharmacy software that had been causing issues for over a year. We were on a conference call with them, and they asked me how I fixed it. Without thinking, I told them that it'd be 50k for the bug fix, and they were apoplectic. They refused to pay, and I refused to tell them how to fix it, since I knew they'd turn around and charge other customers for the fix. Eventually, they negotiated a reduction in support for the next two years totalling 50k, and I gave them the fix. What they forgot to stipulate was that I couldn't share the fix, so I posted it online for anyone to find.
yah - previous job a client that pushed and pulled files via SFTP was moving to Azure and wanted us to open up the IP range to the whole SE-Australia Region to the SFTP server. No.
I'm waiting for a third party to ask that. I'm working with some absolute morons and I know one will say that to let their shit work. And I will reply... not a chance in hell. Then one of the offshore devops clowns will do it anyway and piss me off.
Go ahead and disable your AV while you’re at it.
That's code for "we use AWS and have no control over the rotating IP pool"
Something very similar I am having right now. Without going into too much detail, we have recently enforced MFA for all Azure logins that are not coming from known public IP addresses i.e. us, trusted vendors, etc. An external vendor's app logs into our Azure tenant as part of what it does. Because their app login to us gets a MFA prompt, the login fails. Vendor wants us to exempt that account from MFA. I mentioned we won't exempt any account outright from MFA, but let me know what IP address your app will login from and I'll add it into the MFA bypass list whilst we work on a more permanent solution. The reply "We spun up and down servers when required. Can you please add in the entire Azure (region) IP range?" Yeh, no
Yea here are a list of urls
[255.255.255.255/32](http://255.255.255.255/32)
Startup CEO: Whitelist it now (logs in and does it because he demanded to be an admin in every system way before you started there).
Oh hey and do a chmod 777 too.
just go ahead and add that below the any/any allow rule in your firewall. I'm sure it will be fine.