Re: Win11 explorer bug?

"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...

On 12/12/2024 4:50 PM, Edward Rawde wrote:

"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...

On 12/12/2024 2:31 PM, Joe Gwinn wrote:

The device has a limited life expectancy, anyway. About 10 years. The
boiler needs replacement of rubber gasket every year or two. There is a
mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
>
So, that convenience is decisive for me. Win win.

>
A dodge occurs to me:  Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces.  Set the firewall to accept only one of a small set of white
listed sources, and otherwise not to reply.

>
First, not all ISPs will allow inbound connections.  E.g., many
hide their subscribers behind NAT so incoming connections can't
find specific hosts.

>
They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
Previously the IP had been sufficiently static but not totally static.

>
I prefer hiding behind NAT as it makes it that much harder for
unwanted incoming connections.
>

Second, there is nothing that prevents a device THAT YOU HAVE
WILLINGLY INSTALLED from having malware in it that compromises
your internal network.  This, because most folks only implement
perimeter security mechanisms.  So, a device is free to "call out"
and open a connection that allows an external actor to get past
any such peripheral defenses.

>
It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free
access
to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
packet filtered as necesary.

>
You don't REALLY think all of theses security breaches happen because
a piece of malware HAS valid credentials?  If that was all it took
to secure a network, just put 16 character "license plate" passwords
on all accounts and don't worry about a breach until Hell starts getting
really cold!
>
Once you are inside a perimeter defense, you can poke at machines
at your leisure and accumulate results, sharing them with your
external "accomplice" as need be for further refinement and instruction.
>
Imagine Joe Super Hacker having a network drop in your spare
bedroom.  Do you KNOW hat he is there?  Can you anticipate EVERYTHING
that he will attempt?  Can you lock down the data that he steals before
it gets out past your firewall?
>
[If so, then why do so many "professional organizations" have problems
doing this?]

One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log analysis
scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
Let's take a hospital with myriad networked devices on various networks.
Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?

>

And, because any of your protections likely deal with the
internal vs. external networks as separate, homogenous entities,
there is no way for you to easily determine where (physically)
traffic is originating or terminating.  A device can pretend (from
the standpoint of packet inspection) to be any device on "your"
network.

>
That still doesn't mean it has access credentials for anything it shouldn't have.

>
See above.