Most of the stuff I’ve aired my grievances here, but now I am genuinely concerned if the Chinese Communist Party have successfully planted malware on both of my Ubuntu 18.04 and 20.04 machines. It only uses IPv6 and completely avoids IPv4. It’s rooted in the machine because Google serves up CAPTCHAs no matter what the MAC address is, but ONLY in IPv6.
Clean Live CD, no issues. Steam Big Picture Chromium, no issues.
When the network manager only sees a link local IPv6 but is still set to public IPs, all is good and the browser sees you are running with a full public IPv6 and nothing is wrong… until you unplug the network cable and plug it back in. When the network manager is assigned a public IPv6 address though, it CAPTCHAs like crazy.
Using KDE for both my systems. There is no wait time for Google to serve the CAPTCHA, it literally decided NO MATTER WHAT MAC ADDRESS I used my machine was going to INSTANTLY be handed CAPTCHAs.
Did a experiment. I went to google.ca on one of the machines, let it be caught by a CAPTCHA, but then I instead searched on google.com and it went through no problem. But now, everytime I go to google.ca (as if it was tracking my machine’s UUID) only google.ca serves a CAPTCHA and google.com doesn’t. It does this no matter what MAC address or public IP you assign the machine over IPv6, and no matter how many reboots you do to the machine.
Is it more weird to get an all IPv6 address or IPv4?
I’m guessing its more weird to get a pure IPv6 address? That’s why you get flagged all the time? Also Also, I fail to see specifically why the CCP would involved? I mean they are not the only dystopian country around… even the West has dystopian governments…
I’ve been critical on Twitter of some of the stuff they’ve done.
Also, found out that the IPv6 stack only resets at least once per boot when it encounters a completely different network, then the “bait” for the CAPTCHA sometimes resets if I go back to Starlink. What’s even weirder is the CAPTCHA is served from the .com domain… but I’m allowed to search on the .com domain as soon as the bait is taken on the .ca domain.
Edit: The bait snatching change over time, (maybe in sync with the lease time) but is still tied to UUID.
The CCP and Elon Musk are most likely targeting you for elimination. I would dig a hole and line it with at least two inches of lead as quickly as possible and hide in there until you feel the threat has passed.
Not a new problem for Starlink users… Other forums and server admins seem to agree that this is a known ‘issue’/quirk of the Starlink network, specifically their implementation of CGNAT where you might end up sharing an IP address with other users. Or a botnet, or other flagged IP hence being flagged for security. Appears problems are aggravated particularly when that traffic hits the CloudFlare CDN.
Yeah you’re on IPv6 but without insight into how Starlink’s network is configured up there, you might just be hitting vCGNAT/NAT64 as soon as your traffic gets to them. Maybe someone else around here knows more about Starlink’s internal workings than I do.
Reddit thinks I was hacked and are actively upvoting that I was hacked and downvoting me because I’m retarded.
Both .ca and .com are now serving the same problem now. And SPECIFICALLY for the machines affected so everyone thinks I was hacked.
That’s advice I haven’t yet gotten from anyone, but some think it’s browser fingerprinting adding to the trouble.
I wouldn’t think I was CGNAT on IPv6 but apparently that’s wrong? I have known the IPv4 problem for the last year or two and v4 is not affected on the “infected” machines.
Starlink doesn’t use standard TCP/IP over the satellite connection to improve performance. It’s a simpler version of IPv6 [1]. There is definitely some level of translation going on between router and ground station.
stick something like wireshark on your systems.
run it while your using your system and then look through the pcaps to see if there anything being sent or received.
enable a firewall.
shut off any servers your hosting, such as apache or nginx
if your still getting traffic then you will have to investigate that data and its meta data.
If you log in (assuming you have an account) do you get captchas?
Alternatively, try using DNT headers (on/off compare) and, check if you’re using quic or http when you’re captcha’d. (Maybe UDP 443 is acting up, most stupidware doesn’t yet use quic).
Nope, no captchas when logged in. Only Captchas when logged out specifically on Starlink IPv6 and no other IPv6 ISP. And it’s specific to the two Ubuntu daily driver installs I use, and specific to Firefox. Steam’s Chromium doesn’t do this.
I would love to do that, but I’m literally in the middle of housing limbo and all friends with PEN testing stuff able to physically come to my place are all busy.
Well, my next suspicion is a screen grabbing malware as random vertical tearing started when playing videos midway through. Usually in MPV it can bypass tearing, but this just started mid-playback. That’s my only uncertainty.
Make sure your display driver has vsync enabled then use mpv --video-sync=display-resample. rendering 23.976 Hz / 59.94 Hz / etc content on a 60Hz monitor is tricky.
In depth: Display synchronization · mpv-player/mpv Wiki · GitHub
I’ve been doing that with the compositor off no issues, but by fluke tearing started again right as I got confident the IPv6 issue got resolved. It happened on both of my machines.
But seriously, if CCP wanted to mess with your system, what do you suspect they are doing?
Obviously the data the extract, would not interfere with local graphical out, it would be a rogue daemon running in the background.
If they were hypothetically capturing the screen, there would be the screen worth of data leaving your network, even to co-opted CA/US servers.
Do you have outbound traffic similar to watching YouTube?
Maybe like 1mb/s if they are only capturing low res?
Does the tearing go away when you max out your interface yourself I.e sending to another local computers /dev/NUL at wire speed?
I am not saying they can’t be in your system, or even that they are not.
I’m just suggesting screen tearing seems an odd byproduct of various tools they would use.
Much more efficient to simple extract key-mouse and file info?