Quite early in the process, but we see probes have dropped off. Some of this may be due to the IP level (draconian) restrictions.
The outline of the new security measures are as follows:
1) The user has to have a valid VPN certificate to ssh to the system.
2) Users cannot share a certificate. This isn’t simply policy, it is enforced on a technological level.
3) outgoing traffic is pretty much restricted to VPN, and set specific ports. If there is abuse of those ports, they will lose them.
I will make this a package and service that the day job will provide to our customers. Nice gui and cli and all that.
FWIW: we had thought of, at the beginning of this process, wrapping this up in a nice rocks roll. Sadly, due to the … well … unfortunate treatment of me personally on the part of that leadership of this group, this work is unlikely to happen. We have been told to “put oars in the water” (we have for *years* … nice of them to notice) on their behalf. Kind of sad. We have been told that reporting security problems is “alarmist”. We have been told that reporting interesting benchmarks is “crossing a line”.
Yeah, I see. Makes perfect sense.
This silliness aside, it does look like it is possible to lock the rocks cluster down, even though updates are currently hard for most folks (we have done them without too much pain). Do them anyway. Functions that break due to an update are bugs, and should be reported as such.