Re: About WiFi7

"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vab51q$12s47$2@dont-email.me...

On 8/23/2024 1:37 PM, Edward Rawde wrote:

"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vaanpe$112hi$1@dont-email.me...

On 8/23/2024 7:44 AM, Edward Rawde wrote:

Pretty much everything is on all the time here.

>
I have at least three boxes running 24/7/365:
- my "network services" box (TFTP, NTP, DNS, etc.)
- this "internet access" box (isolated from the rest of the network)
- at least one workstation
Servers, SANs, NASs, laptops are more "transient" devices that come on and
off as they are needed.
>

Servers have to be or they won't be serving. And why would I want to wait
while Windows says "You will not turn off your computer for half an hour
while I update". Windows boxes which are mostly turned off invariably spend
the next hour installing updates when they are turned on.

>
With an air-gapped network, you don't have to bother with countless "updates"
(which can be seen as malware in and of themselves!)

>
But I don't see how an air-gapped network is a network.
I would not be able to get anything done.

>
If everything you need is IN that network, then why open it up to potential
adversaries?

I don't have anything open to potential adversaries.

I have scanners, printers, in-circuit-emulators, CAD/CAE
systems, etc. all "a click away"

So do I.

-- without ever leaving the confines of
my home/office.

I can use mine from any country I'm likely to be in.

>
If I need to find a datasheet, I can move to THIS machine, locate the
datasheet, download it to a thumb drive and sneakernet it into the
office.  How often do you need to do *that*?

Every few minutes, and I can do it all from where I sit, even if I go to another country.

>

This machine runs nothing but Firefox and Tbird and HAS nothing on it of
any value (my address book?  stripped of all "personal information", of
course -- even my "username" is anonymous!)  So, there is nothing to lose
if "compromised" and I can restore everything in 12 minutes (the time it
takes to reload the most recent "image")
>
NOT having a directly routed IP gives added protection from incoming
threats (multi-NAS).  I have a cloaked server that is accessible
(Co-lo'ed) for the select persons that need access to it.

>
Paranoia does have a lot to answer for in the cybersecurity world.
>
I came across an individual with three virus scanners installed a few days ago.
I didn't bother giving advice, I just left them to waste hours running scans.
I did ask when they last found a virus and was confidently told "never".

>
I have no such tools "installed", here.

Same here. Just the default Microsoft scanner.

Every 6 months, I pull the disk from
this machine and check the disk pulled 6 months earlier with the "latest"
free AV scanner.  This gives the tool vendor a chance to catch up with
the latest exploits (a 6 month window) which a "current subscriber" can
only HOPE to gain protection.
>
I've never found anything.  So, either the tools folks are using are
ineffective -- or, my internet behavior is pro-actively robust.

Well if you put yourself in prison you're not likely to be bothered by much from outside.

>

Why would I want to waste time updating and protecting *tools*?
>

Networks are safe if configured properly whether wired or wifi.

>
That's not necessarily true.  *Physical* access trumps all attempts at
protection.

>
You haven't got a network if you need physical access. You have to be there.

>
Of course you have a network.  I have three 24-port switches in the office
(virtually all ports in use) and two 12's in my bedroom.  Is this NOT a network
because I can walk to all of the nodes?
>
If a person has physical access to YOUR "network", then security is a moot
point.  Even an encrypted drive is vulnerable -- I *steal* it and I've
now effectively denied you service.

Plenty of people have physical access to my network.
Most of them wouldn't know a switch from a banana.
Those who would are trusted people.
Untrusted people who might know what a switch is are simply not allowed anywhere near my physical LAN.

>

I could be writing this post from one country today and another tomorrow.

>
As could I.  By using any NNTP agent on any internet connected machine.
Why does it have to be one of the machines on my air-gapped network?

Because you'd have missed your flight by the time you find and install one and what if you need that data sheet you left on your
office computer?
Sure you can download it but was that LT1234 or LT2341 or LTC1324? and what if you'd really like to have the LTSpice simulation you
did at the office?

>

Countries I never go to (Mostly non-English speaking countries) are blocked inbound by pfsense.

>
Wonderful.  And you have to maintain that.  Instead of doing "real work".

LOL these people maintain it for me:
https://www.maxmind.com/en/home

>

That leaves "hackers" in USA and a few other countries who go on a pfsense blacklist if they are persistent.
They aren't going to guess the password anyway but I don't like my logs cluttered with obvious password guessing attempts.
A quick look at the firewall log shows that I'll probably add this one to the blacklist
https://www.abuseipdb.com/check/104.234.229.117
>

>

While it's not likely that an unauthorized user will be able to get directly
on my LAN, that does not by itself mean that they could obtain information I
don't want them to have.

>
But that's true of any site that you visit.  Even your "network identity"
can be uniquely fingerprinted by a remote service WATCHING how you access it.

>
Not sure what you mean by that but Tor is ready for any site I don't want to "identify" to.

>
Your browser can be fingerprinted.  They (the sites you visit) may not know
your *name* (yet) but, know that "you" are visiting site X, Y and Z.  Are
you sure they aren't sharing information about your visits?

Fairly sure yes. I can tell because You Tube doesn't offer relevant (or so it thinks) videos whenever I restart my browser.

>

If you leave your systems off for anti hacking reasons then you have
effectively caused a denial of service attack against yourself.

>
Yup.  But, you only need to make it accessible to *yourself* to avoid that
problem.  Too many businesses expose more than they need to just because
limiting that exposure is harder if "everything" is hiding on the same
server with ACLs as the only practical "defense".

>
That's usually because management don't know how anything works.

>
Its usually because folks are lazy and overconfident in their abilities
to lock things down.  Take the very same folks and pay them to *infiltrate*
the systems that they had previously been "protecting".  Amazing how many
"holes" you can find when your attitude is to FIND them instead of
(pretending) to plug them.

Human nature isn't going to change any time soon.

>
The same is true of most developers -- especially folks writing software.
Have someone pay you to break the design you just "finished" and you (and
they) will forever see your *design* efforts in a different light!
>
How hard to you work at trying to identify conditions that can/will break
your design?

Depends on what I'm designing and what it will be used for.

>

and those who do prefer an "if it aint broke don't fix it" approach to avoid upsetting management with system downtime.
Sometimes it's because the installation instructions for say, a database server, are followed and everything seems to work fine.
But no-one pays attention to where inbound connections to 3306 might come from.

>
No one thinks about where connections *should* come from!
Instead, they convince themselves that they want to maximize
convenience "just in case I want to have access from XXXXX".
They gleefully ignore the fact that an adversary can be
*anywhere* leveraging a hijacked host "somewhere" to LOOK
like a possibly legitimate access.

Oh yes I get plenty of packets from compromised machines where the perpetrator is hidden by that machine.
But they still can't open a properly locked online door no matter how many keys they try.

>

[Do you think a 50 million LoC piece of software doesn't have tens of
thousands of latent bugs??  Bugs that can be identified, verified and
quantified without your ever being aware that this has happened?]
>
Consider, carefully, what you really need access to outside of your own
physical domain.

>
Oh I have, for a long time.
So for me I can work from anywhere I might need to work from as if I was here, and all my files are here (not in any cloud).

>
Thus they are all accessible -- to a determined adversary, as well.

Only in Paranoia land.
In reality they are accessible only to those who should have access.

Do you really *need* access to all that?

Of course. Why shouldn't I work from anywhere as if I was here?
I can have immediate access to anything I might need to show a potential customer without needing to remember to copy it to my
laptop.
I can have a quiet day in the library doing exactly the same work I do here with the same tools and the same data.
I can work from a hotel room just as if I was here.

 Or, are you just making the
same error as above:  maximizing convenience "just in case"??

I was away last weekend but could work as if I was here.
One individual's error is another individual's way of doing things.

I think maybe you should get some glasses which, at the first hint of danger, turn totally black.
This preventing you from seeing anything which might alarm you.

>

I've never had a malware issue, well not since I accidentally put an unpatched Windows 2000 box on a raw connection and got
nimda.
Since it was a fresh install it didn't matter. It was quickly wiped.
>

Then, RE-consider that!
>

>
>

>