On 12/12/2024 4:36 PM, Edward Rawde wrote:
Most users have banal needs for a firewall. If running Windows hosts,
then the filter in the host is even finer-grained than a filter in
an external firewall (as the host-based filter can be tailored
to specific applications).
The host based filter is worthless if the user is administrator (like most Windows users are) because malware can configure/disable
the firewall as it likes.
It's not going to suddenly decide that, e.g., PhotoShop needs access to
the internet!
I don't permit outbound connections to a long list of countries.
>
You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter
defenses" (WELCOMED in!) can act on behalf of some other agency.
>
IP filtering doesn't buy you any real protection.
It does if you watch the logs for anything unusual.
Do you have more than one host? Printer? etc. How many thousands of
connections are you going to examine every day?
Windows machines typically run a whole slew of protocols, many of which
have dubious GENERAL value. Yet, disable one and you may find you've
shutdown CIFS support. Or, network discovery protocols. Or...
A connection to a neighbor IP address would be obvious to me and I'd likely block it to see if anything legitimate breaks.
So, you work for your computer! Most folks want their computers to work
for THEM!
Just like I watch who goes in and out of my house and who I give keys to.
Imagine owning a house where you can't tell who comes and goes or who has keys.
Knowing who has keys tells you ONLY who has keys. It tells you nothing
of whether they are using them, have given them to someone else to use, etc.
Do you really spend your waking hours watching all the lockable doors on
your property? AND, connections to your computer(s)?
That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
cleanup.
A simpler solution is simply not to have anything "stealable" on a machine
that can be compromised.
If you could commandeer THIS machine, remotely, you could look to see
who I correspond with. And, what I've downloaded, recently.
And, that's about it!
If you manage to install malware, then you could use it as a C&C node to
manipulate other machines -- machines that I don't own (because the only
other thing on this network is a printer and the modem).
And, at the next semi-annual review, I will discover your malware
and remove it -- along with taking steps to protect against reinfection
(e.g., install the custom boot loader that I have on the laptop that
wipes the OS each time I boot)
I "hide" my file server behind a particular "knock sequence" that is
only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
>
I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
connection is secure.
>
Knowing that a server exists is information. (esp if your AUP
prohibits them! :> ) Knowing that there is <something> sitting
at an IP invites probes.
Knowing that there's a house there is information.
Who said there is a house? :> Who says it is (physically) *here*?
Or in the country I'm from, knowing that there's a castle there is information but if it's surrounded by a moat then good luck
getting in unseen.
What difference if you can still get in and inflict whatever damage?
Imagine trying to get OUT in the event of a fire... when the drawbridge
mechanism fails?
Violation of the access protocol could get you an arrow or cannon ball up your somewhere in the past.
An address that never reacts to your actions is uninteresting.
And, unless you can snoop the actual traffic, you can't know that
the address is actually actively moving data!
In many cases you can infer. 1.2.3.0/24 and if you know 1.2.3.20 is active then the rest are likely doing someting potentially
interesting.
I have ~70 hosts in my office. Yet, you'd be hard pressed to see more
than one or two (despite not deliberately trying to "hide") simply
because they are never ALL powered up (yet each needs a distinct
IP so I can power up any subset of them).
The advantage of an "internal agent" (like a pwn plug) is that it
can run 24/7/365 and patiently collect data from its observations.
Several decades ago, a "transformer" was installed on such a pole
(why was it SUDDENLY needed, there?) outside from a business that
sold "growing supplies" to folks who were suspected of being marijuana
growers.
>
The joke was that the transformer had NO wires (primary or secondary)
attached to it. And, a large, rectangular region that resembled a
"window" -- on the side facing the business.
>
"Gee, wanna bet that's a (really poorly disguised) camera??" :>
It must have been powered by something, even if everything else was wireless.
A large battery. The voltage present on the pole is ~11KV (14KV?) or more.
Silly to design a surveillance device that has to accept those high voltages
for power when you have all that volume to use for an energy store!
(You can always come back to visit it a month later to replace the battery
and retrieve the stored video footage!)
Win11 explorer bug?
Re: Win11 explorer bug?