One of my guys said that File Explorer is lately crashing in weird
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
One of my guys said that File Explorer is lately crashing in weird
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
One of my guys said that File Explorer is lately crashing in weird
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
One of my guys said that File Explorer is lately crashing in weirdways. Now mine has started doing it.We share files with Dropbox, so maybe the bug is there.
john larkin <JL@gct.com> Wrote in message:r
One of my guys said that File Explorer is lately crashing in weirdways. Now mine has started doing it.We share files with Dropbox, so maybe the bug is there.
I know win 10 FE does not like searching network shares. Never
been fixed.
Cheers
On Sun, 08 Dec 2024 16:33:41 -0800, john larkin <JL@gct.com> wrote:
One of my guys said that File Explorer is lately crashing in weird
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
Clear FE's caches, then shut computer down to cold, then boot back up.
Did anything change?
Google on the symptoms and see if you have company.
Joe Gwinn
On 09/12/2024 00:33, john larkin wrote:
One of my guys said that File Explorer is lately crashing in weirdDo you get a BSOD or a crash dump when it fails?
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
On Mon, 09 Dec 2024 10:42:57 -0500, Joe Gwinn <joegwinn@comcast.net>
wrote:
On Sun, 08 Dec 2024 16:33:41 -0800, john larkin <JL@gct.com> wrote:
One of my guys said that File Explorer is lately crashing in weird
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
Clear FE's caches, then shut computer down to cold, then boot back up.
Did anything change?
Google on the symptoms and see if you have company.
Joe Gwinn
One site says to clear the cache, with a step-by-step procedure. In >conformance to Microsoft standards, those steps don't actually exist
any more.
On Mon, 9 Dec 2024 11:01:24 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 09/12/2024 00:33, john larkin wrote:
One of my guys said that File Explorer is lately crashing in weirdDo you get a BSOD or a crash dump when it fails?
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
The file explorer window just freezes up. It can be killed with the
task manager and then it works again.
And, maybe unrelated, my PC has decided to do dead black screen once
in a while, for 30 seconds or so.
And when I restart, the cursor has a little blinking hourglass
attached for a day or so.
Windows is such garbage.
On 09/12/2024 22:44, john larkin wrote:
On Mon, 9 Dec 2024 11:01:24 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 09/12/2024 00:33, john larkin wrote:
One of my guys said that File Explorer is lately crashing in weirdDo you get a BSOD or a crash dump when it fails?
ways. Now mine has started doing it.
We share files with Dropbox, so maybe the bug is there.
The file explorer window just freezes up. It can be killed with the
task manager and then it works again.
Sounds like a race condition where it is waiting for something that
never happens and doesn't timeout properly. MS has lots of those :(
And, maybe unrelated, my PC has decided to do dead black screen once
in a while, for 30 seconds or so.
Try disabling the screen saver.
I have found Win11 almost as usable as Win7 with none of the troubles
you see. Main advantage for me is that Win11 understands E & P cores.
Win8 was a complete crock of shit. Win10 wasn't much better but I
managed to avoid it entirely since Win7 was so good.
And when I restart, the cursor has a little blinking hourglass
attached for a day or so.
Windows is such garbage.
Don't expect me to stand up for MickeySoft!
On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
I have found Win11 almost as usable as Win7 with none of the troubles
you see. Main advantage for me is that Win11 understands E & P cores.
What's an E&P?
On 10/12/2024 15:44, john larkin wrote:
On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
I have found Win11 almost as usable as Win7 with none of the troubles
you see. Main advantage for me is that Win11 understands E & P cores.
What's an E&P?
Economy cores (E) are good for general stuff working at human data rates
and much lower power whereas Performance cores (P) are good at running
flat out but power hungry. Win11 is the first version that properly
allocates heavy CPU bound tasks consistently to the right sort of core!
On Tue, 10 Dec 2024 16:29:00 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 15:44, john larkin wrote:
On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
I have found Win11 almost as usable as Win7 with none of the troubles
you see. Main advantage for me is that Win11 understands E & P cores.
What's an E&P?
Economy cores (E) are good for general stuff working at human data rates
and much lower power whereas Performance cores (P) are good at running
flat out but power hungry. Win11 is the first version that properly
allocates heavy CPU bound tasks consistently to the right sort of core!
My new monster Win 11 tower, with a gigantic heavy GPU and terabytes
of SSD and 16G ram, only runs LT Spice about twice as fast as my old
laptop. I was disappointed... I was hoping for 10x or so.
Spice is the only thing I do that needs a lot of compute power.
On 10/12/2024 17:41, john larkin wrote:
On Tue, 10 Dec 2024 16:29:00 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 15:44, john larkin wrote:
On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
I have found Win11 almost as usable as Win7 with none of the troubles >>>>> you see. Main advantage for me is that Win11 understands E & P cores. >>>>What's an E&P?
Economy cores (E) are good for general stuff working at human data rates >>> and much lower power whereas Performance cores (P) are good at running
flat out but power hungry. Win11 is the first version that properly
allocates heavy CPU bound tasks consistently to the right sort of core!
My new monster Win 11 tower, with a gigantic heavy GPU and terabytes
of SSD and 16G ram, only runs LT Spice about twice as fast as my old
laptop. I was disappointed... I was hoping for 10x or so.
Spice is the only thing I do that needs a lot of compute power.
Trouble with solving huge non-linear matrix problems is that they don't >parallelise at all well. You could well be better off with whichever of
the current CPU crop has the fastest single threaded performance.
Provided that it is only for scratch working it is still worth at least >considering using the dangerous for risk of data loss RAID0 in a matched
pair configuration to nearly double effective disk bandwidth. There is
much less advantage doing this trick now than their used to be.
Obviously data is toast if anything goes wrong so don't store important >results on it long term. I no longer bother but it might help you.
On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 17:41, john larkin wrote:
Spice is the only thing I do that needs a lot of compute power.
Trouble with solving huge non-linear matrix problems is that they don't
parallelise at all well. You could well be better off with whichever of
the current CPU crop has the fastest single threaded performance.
I wish the monster graphics processor could run Spice.
Obviously data is toast if anything goes wrong so don't store important
results on it long term. I no longer bother but it might help you.
We back up brutally, on local servers and online.
Once a month I get a multi-terabyte USB hard drive with copies of all
our servers and our shared Dropbox accounts. We treat them as
write-once, and distribute them around California.
On 10/12/2024 21:47, john larkin wrote:
On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 17:41, john larkin wrote:
Spice is the only thing I do that needs a lot of compute power.
Trouble with solving huge non-linear matrix problems is that they don't
parallelise at all well. You could well be better off with whichever of
the current CPU crop has the fastest single threaded performance.
I wish the monster graphics processor could run Spice.
Why do you use the monster graphics processor then?
I find that for my work the built in graphic capability of Intel chips
is more than adequate for all 2D work and tolerable for 3D if you never
do too much full scale photo video rendering and flybys.
Useless for gaming, AI code or realtime video editing but at present I
don't do any of those often enough to merit a fancy fast graphics card
in my main machine. I prefer to have it run cool, quiet and well under
50W unless it is being asked to work very hard when it rises to 80W.
When editing documents or diagrams and no serious computations are
running I sometimes get warnings that the CPU fan has stopped.
Obviously data is toast if anything goes wrong so don't store important
results on it long term. I no longer bother but it might help you.
We back up brutally, on local servers and online.
Once a month I get a multi-terabyte USB hard drive with copies of all
our servers and our shared Dropbox accounts. We treat them as
write-once, and distribute them around California.
I hope you verify that you can get the data back if you had to.
On Tue, 10 Dec 2024 22:15:43 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 21:47, john larkin wrote:
On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 17:41, john larkin wrote:
Spice is the only thing I do that needs a lot of compute power.
Trouble with solving huge non-linear matrix problems is that they don't >>>> parallelise at all well. You could well be better off with whichever of >>>> the current CPU crop has the fastest single threaded performance.
I wish the monster graphics processor could run Spice.
Why do you use the monster graphics processor then?
We have IT consultants. I told them to get me four identical PCs,
small towers with modest graphics and Win10. They bought four monsters
that I literally can't carry alone, with a crazy GPU mess. The
motherboard is about 8" square and the GPU is the size and weight of a
small tractor.
After months of tuning and registry edits and add-ons, it's usable but
not enjoyable.
They do seem to be reliable.
I will concede that it is extremely difficult to convince any vendor that you want such a high spec machine with very basic graphics. I think it went round three times before they accepted that I really knew what I wanted and understood the trade offs involved. Sales questioned it, pre-build review questioned it and then the guy building it rang up too.
Yes I was sure I didn't want their high spec graphics card using twice as much
power as all the rest of the machine put together.
On 12/9/24 21:33, Martin Rid wrote:
john larkin <JL@gct.com> Wrote in message:r
One of my guys said that File Explorer is lately crashing in
weirdways. Now mine has started doing it.We share files with Dropbox,
so maybe the bug is there.
I know win 10 FE does not like searching network shares. Never
been fixed.
Cheers
Oh, if it's that, Linux suffers from that problem too.
The trouble is that GUI file explorers want to know
everything about a file, even remote ones, and even when
it isn't actually required to show any of it. It will
even download the whole file *contents* just to make tiny
little icons! What a waste!
All that data is costly to get. As a result it takes
forever. Meanwhile, it won't respond to user clicks, so
effectively it's hung.
Very poor software design, but there you have it.
Fortunately, in Linux we have 'ls' which is smarter.
Jeroen Belleman
On 11/12/2024 02:48, john larkin wrote:
On Tue, 10 Dec 2024 22:15:43 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 21:47, john larkin wrote:
On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
On 10/12/2024 17:41, john larkin wrote:
Spice is the only thing I do that needs a lot of compute power.
Trouble with solving huge non-linear matrix problems is that they don't >>>>> parallelise at all well. You could well be better off with whichever of >>>>> the current CPU crop has the fastest single threaded performance.
I wish the monster graphics processor could run Spice.
Why do you use the monster graphics processor then?
We have IT consultants. I told them to get me four identical PCs,
small towers with modest graphics and Win10. They bought four monsters
that I literally can't carry alone, with a crazy GPU mess. The
motherboard is about 8" square and the GPU is the size and weight of a
small tractor.
I will concede that it is extremely difficult to convince any vendor
that you want such a high spec machine with very basic graphics. I think
it went round three times before they accepted that I really knew what I >wanted and understood the trade offs involved. Sales questioned it,
pre-build review questioned it and then the guy building it rang up too.
Yes I was sure I didn't want their high spec graphics card using twice
as much power as all the rest of the machine put together.
After months of tuning and registry edits and add-ons, it's usable but
not enjoyable.
They do seem to be reliable.
I don't find Win11 different enough to Win7 to really notice anything
other than a few minor cosmetic niggles that are easily fixed like right >click menus that by default don't include the features I use most often.
On Wed, 11 Dec 2024 09:22:51 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
I don't find Win11 different enough to Win7 to really notice anything
other than a few minor cosmetic niggles that are easily fixed like right
click menus that by default don't include the features I use most often.
File drag and drop is the worst. If the destination file exists, you
have to enter a secondary dialog that itself makes no sense.
I have to read the file dates and times manually, before I copy.
I do have a little program that copies folders and only does the later
date files.
Another bad thing about 11 is that it likes to pop up ugly things that
make it hard to see what you are doing.
And keeps changing folder views. I don't want to see cartoons just
because I'm copying a jpeg.
Why does the biggest programming team in history write such garbage
code?
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.
I'm thinking of a particular heating system with thermostat. You can program the times when the heating turns on automatically and the temps only via internet. On the thermostat on the wall there is only a manual control that sets the temp for "now", a knob.
Oh, and it comes with no manual, no docs.
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via
WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network stack
in the
appliance, all of the network infrastructure from your AP to the manufacturer's
server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
If I can manage to hang (if not outright CRASH) the appliance using the
FEW controls available to me, how many more wonderful and exciting ways
might it be at risk with all this other fluff involved?
Do I *really* need to be able to turn the oven on as I leave work so the roast has had extra time to cook while I'm busy driving?
How might my "blind" actions interact with some activities initiated
by whomever happens to be IN the house (by the appliance) at the time?
How many races remain in hiding in the implementation? (clearly they
didn't test for ALL of these if I can tickle several of them so easily)
I'm thinking of a particular heating system with thermostat. You can
program the times when the heating turns on automatically and the
temps only via internet. On the thermostat on the wall there is only a
manual control that sets the temp for "now", a knob.
This is a false design economy: "Let's skip the interface on the actual device in favor of one on some OTHER device." It invites the two falling out of sync with each other as there is nothing ensuring updates to one
are also propagated to the other.
I'm dicking with UPSs this morning. In theory, all of them should be configured identically -- with the exception of specific instance data
(e.g., host name, IP address, SNMP traps, etc.). I can attempt to verify this by dumping the configurations (in text format) and doing a line-by-
line
compare.
"Gee, how come this UPS has a whole set of settings that the others
don't? Same version software..."
Oh, and it comes with no manual, no docs.
Of course not! That would be a THIRD thing that would fall out of sync
with
the others!
The ideal design is the one where you can remove nothing MORE from it.
Yet, we see so many products built on Linux kernels (from which a LOT
can be removed -- including the bugs associated with all that cruft!)
On 2024-12-12 14:16, Don Y wrote:
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via WiFi. The >>> physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
Certainly. There is no other way unless ISPs provide IPv6 connectivity.
So, you have the application layer in the appliance, the network stack in the
appliance, all of the network infrastructure from your AP to the manufacturer's
server, then, back through the phone network, up through the stack in your >> phone and, finally, through the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
Well, it has economic advantages.
If I can manage to hang (if not outright CRASH) the appliance using the
FEW controls available to me, how many more wonderful and exciting ways
might it be at risk with all this other fluff involved?
Do I *really* need to be able to turn the oven on as I leave work so the
roast has had extra time to cook while I'm busy driving?
I really do *need* to handle the heating remotely.
How might my "blind" actions interact with some activities initiated
by whomever happens to be IN the house (by the appliance) at the time?
Not a concern for me.
How many races remain in hiding in the implementation? (clearly they
didn't test for ALL of these if I can tickle several of them so easily)
I'm thinking of a particular heating system with thermostat. You can program
the times when the heating turns on automatically and the temps only via >>> internet. On the thermostat on the wall there is only a manual control that >>> sets the temp for "now", a knob.
This is a false design economy: "Let's skip the interface on the actual
device in favor of one on some OTHER device." It invites the two falling >> out of sync with each other as there is nothing ensuring updates to one
are also propagated to the other.
They save hardware and firmware, which was my point.
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network stack in the appliance, all of the network infrastructure from your AP to the manufacturer's
server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
If I can manage to hang (if not outright CRASH) the appliance using the
FEW controls available to me, how many more wonderful and exciting ways
might it be at risk with all this other fluff involved?
Do I *really* need to be able to turn the oven on as I leave work so the roast has had extra time to cook while I'm busy driving?
How might my "blind" actions interact with some activities initiated
by whomever happens to be IN the house (by the appliance) at the time?
How many races remain in hiding in the implementation? (clearly they
didn't test for ALL of these if I can tickle several of them so easily)
I'm thinking of a particular heating system with thermostat. You can program the times when the heating turns on automatically
and the temps only via internet. On the thermostat on the wall there is only a manual control that sets the temp for "now", a
knob.
This is a false design economy: "Let's skip the interface on the actual device in favor of one on some OTHER device." It invites the two falling
out of sync with each other as there is nothing ensuring updates to one
are also propagated to the other.
I'm dicking with UPSs this morning. In theory, all of them should be configured identically -- with the exception of specific instance data
(e.g., host name, IP address, SNMP traps, etc.). I can attempt to verify this by dumping the configurations (in text format) and doing a line-by-line compare.
"Gee, how come this UPS has a whole set of settings that the others
don't? Same version software..."
Oh, and it comes with no manual, no docs.
Of course not! That would be a THIRD thing that would fall out of sync with the others!
The ideal design is the one where you can remove nothing MORE from it.
Yet, we see so many products built on Linux kernels (from which a LOT
can be removed -- including the bugs associated with all that cruft!)
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via
WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network stack
in the
appliance, all of the network infrastructure from your AP to the manufacturer's
server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
On 11/12/2024 19:01, john larkin wrote:
On Wed, 11 Dec 2024 09:22:51 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:
I don't find Win11 different enough to Win7 to really notice anything
other than a few minor cosmetic niggles that are easily fixed like right >>> click menus that by default don't include the features I use most often.
File drag and drop is the worst. If the destination file exists, you
have to enter a secondary dialog that itself makes no sense.
I hate file drag and drop. I certainly wouldn't want to be able to
destroy files that already exist in the destination folder. YMMV
I have to read the file dates and times manually, before I copy.
I do have a little program that copies folders and only does the later
date files.
Another bad thing about 11 is that it likes to pop up ugly things that
make it hard to see what you are doing.
I've turned that crap off.
And keeps changing folder views. I don't want to see cartoons just
because I'm copying a jpeg.
Why does the biggest programming team in history write such garbage
code?
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjennd$24vi6$1@dont-email.me...
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network stack in the
appliance, all of the network infrastructure from your AP to the manufacturer's
server, then, back through the phone network, up through the stack in your >> phone and, finally, through the app to the display.
I hate this too.
I'm resistant to cameras which bounce off the manufacturer's server, which could be anywhere.
On 12/12/24 14:16, Don Y wrote:
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone,
via WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network
stack in the appliance, all of the network infrastructure from
your AP to the manufacturer's server, then, back through the phone
network, up through the stack in your phone and, finally, through
the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
Apart from the obvious security and reliability worries, there is
the issue that the *manufacturer* gets to decide when *your* device
is obsolete.
The software industry invented that trick, but lots of other
industries are catching on.
Jeroen Belleman
On 12/12/2024 8:08 AM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjennd$24vi6$1@dont-email.me...
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network stack in the
appliance, all of the network infrastructure from your AP to the manufacturer's
server, then, back through the phone network, up through the stack in your >>> phone and, finally, through the app to the display.
I hate this too.
I'm resistant to cameras which bounce off the manufacturer's server, which could be anywhere.
Also meaning subject to the laws of different countries (based on its siting).
Is there any reason the camera can't talk to a phone that is also
hosted by the customer's access point?
If you want to let the camera access a phone that is NOT "local",
then let the user subscribe to a DynDNS service -- provided by
any number of competing firms (even the manufacturer -- via a nice
clean OPEN interface).
E.g., that data, passing through the server, is no longer under
YOUR control. And, can be monetized without your compensation.
This is possible with ANY device that passes through an unnecessary
server. (Your smart thermostat knows when you are home, when
you are "active", etc.)
On 12/12/2024 2:59 AM, Martin Brown wrote:
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
Once something becomes "complex" (i.e., too large to fit in a
single brain), it becomes difficult to understand the repercussions
of specific design decisions -- because you can't remember
EVERYTHING with which they interact.
[This is why big pieces of software are shit. For "efficiency"
(and lack of design vision), everything gets dropped into one
big executable. This is the norm for Windows, Android, etc.
By contrast, in UN*X, one would plumb existing applications
together to meet some new need -- instead of folding the new
functionality into that one big app!]
We have a stove/oven that has the ideal universal interface
(in the mind of some idiot): a big knob as SELECTOR that
one can PRESS to make the current selection. A "back"
button as an afterthought.
But, it's the SOLE interface.
Works as expected to "select" cooking conditions. But, the
designer/coder obviously forgot that multiple things can be
happening concurrently -- all of which require the user
to interact via that ONE interface!
So, if the user is in the process of doing one such thing and
some OTHER thing demands attention...? Where is the interface
bound at that point in time? Is he still doing that first
thing? Or, interacting with that (asynchronous) second thing?
Eventually, the user resorts to turning the appliance OFF
(dedicated button to do so). Which aborts BOTH tasks. And,
leaves hi having to restart BOTH!
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
Is there any reason the camera can't talk to a phone that is also
hosted by the customer's access point?
If you want to let the camera access a phone that is NOT "local",
then let the user subscribe to a DynDNS service -- provided by
any number of competing firms (even the manufacturer -- via a nice
clean OPEN interface).
Inbound is problematic for various reasons.
Do you want your cameras accepting inbound connections from anywhere in the world?
Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
firmware updates.
I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
attempting brute force to a blacklist.
But most people have no interest in that.
Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
pictures to be viewed by anyone other than themselves.
On 12/12/2024 12:32 PM, Edward Rawde wrote:
Is there any reason the camera can't talk to a phone that is also
hosted by the customer's access point?
If you want to let the camera access a phone that is NOT "local",
then let the user subscribe to a DynDNS service -- provided by
any number of competing firms (even the manufacturer -- via a nice
clean OPEN interface).
Inbound is problematic for various reasons.
Do you want your cameras accepting inbound connections from anywhere in the world?
Vendors have no problem selling "hubs" as a prerequisite to talk to
their devices. Why can't the hub implement a packet filter?
Use that as a selling point: the hub can act to protect the
local network (for a fee!!) while their access point/router likely
has not been reliably configured for that purpose.
Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
firmware updates.
Simply putting the camera (or any device manufactured by someone who
may or may not be trustworthy) on your "internal network puts you
at risk.
E.g., I can open an outbound connection to hostile_actor.com and let
an external agent act as command-and-control, telling me (the camera)
what to do ON THE INTERNAL NETWORK.
This traffic can be disguised to look innocuous. E.g., resolving "whatshouldIdo.hostile_actor.com" can deliver data to the camera that
can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com". Results can be delivered to the external agency by resolving "thepasswordisFOOBAR.hostile_actor.com", etc.
Or, open an HTTP connection to hostile_actor.com and anyone looking
through the logs (ha!) would just think a user visited a website of
with an oddly suspicious domain name. (So, buy up yahooo.com,
goggle.com, etc.)
I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
attempting brute force to a blacklist.
But most people have no interest in that.
Hence the value of a "hub".
I "hide" my file server behind a particular "knock sequence" that is
only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
Of course, the machine SEES all attempts to connect to it. And, which
ports and protocols are being used -- and in which sequence -- from every potential external IP. So, if it sees the right combination of accesses
in a particular time frame, it will THEN respond to a connection attempt
for a particular service. Or, "callback" on a preassigned port on
the "caller's" IP address (as many ISPs frown on operating a server...
but, no constraints on ACCESSING some external service -- even if doing
so at the behest of said service!)
Meanwhile, other attempts AT THE SAME TIME still see a "dangling wire".
Once a connection is granted, there are no limits on what can be
transfered (set up a tunnel and all of those transactions are hidden)
Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
pictures to be viewed by anyone other than themselves.
<https://www.shodan.io/search?query=camera>
Even if you can't (easily) access the video, the fact that someone has INSTALLED a camera (five cameras??) has informational value.
On 2024-12-12 16:41, Jeroen Belleman wrote:
On 12/12/24 14:16, Don Y wrote:
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone,
via WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network
stack in the appliance, all of the network infrastructure from
your AP to the manufacturer's server, then, back through the phone
network, up through the stack in your phone and, finally, through
the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
Apart from the obvious security and reliability worries, there is
the issue that the *manufacturer* gets to decide when *your* device
is obsolete.
The device has a limited life expectancy, anyway. About 10 years. The
boiler needs replacement of rubber gasket every year or two. There is a >mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
On 12/12/2024 12:32 PM, Edward Rawde wrote:
Is there any reason the camera can't talk to a phone that is also
hosted by the customer's access point?
If you want to let the camera access a phone that is NOT "local",
then let the user subscribe to a DynDNS service -- provided by
any number of competing firms (even the manufacturer -- via a nice
clean OPEN interface).
Inbound is problematic for various reasons.
Do you want your cameras accepting inbound connections from anywhere in the world?
Vendors have no problem selling "hubs" as a prerequisite to talk to
their devices. Why can't the hub implement a packet filter?
One reason is that the packet filtering would have to be configured specifically for local requirements.
This gets us back to the issue of most people not knowig a packet filter if they fell over it.
Use that as a selling point: the hub can act to protect the
local network (for a fee!!) while their access point/router likely
has not been reliably configured for that purpose.
Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
firmware updates.
Simply putting the camera (or any device manufactured by someone who
may or may not be trustworthy) on your "internal network puts you
at risk.
E.g., I can open an outbound connection to hostile_actor.com and let
an external agent act as command-and-control, telling me (the camera)
what to do ON THE INTERNAL NETWORK.
I don't permit outbound connections to a long list of countries.
I can always whitelist if it does turn out that I need to connect to a server in one of those countries.
This traffic can be disguised to look innocuous. E.g., resolving
"whatshouldIdo.hostile_actor.com" can deliver data to the camera that
can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com".
Results can be delivered to the external agency by resolving
"thepasswordisFOOBAR.hostile_actor.com", etc.
Or, open an HTTP connection to hostile_actor.com and anyone looking
through the logs (ha!) would just think a user visited a website of
with an oddly suspicious domain name. (So, buy up yahooo.com,
goggle.com, etc.)
I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
attempting brute force to a blacklist.
But most people have no interest in that.
Hence the value of a "hub".
I "hide" my file server behind a particular "knock sequence" that is
only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
connection is secure.
Once a connection is granted, there are no limits on what can be
transfered (set up a tunnel and all of those transactions are hidden)
Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
pictures to be viewed by anyone other than themselves.
<https://www.shodan.io/search?query=camera>
Even if you can't (easily) access the video, the fact that someone has
INSTALLED a camera (five cameras??) has informational value.
A nearby store installed cameras not long ago.
The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.
On Thu, 12 Dec 2024 19:58:36 +0100, "Carlos E.R."
<robin_listas@es.invalid> wrote:
On 2024-12-12 16:41, Jeroen Belleman wrote:
On 12/12/24 14:16, Don Y wrote:
On 12/12/2024 5:47 AM, Carlos E.R. wrote:
On 2024-12-12 12:00, Don Y wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interface
for the stove/oven... NOT!
There are devices that put the actual interface on the phone,
via WiFi. The physical interface has a reduced set of features.
Yes. Via a server located at the manufacturer's facility!
So, you have the application layer in the appliance, the network
stack in the appliance, all of the network infrastructure from
your AP to the manufacturer's server, then, back through the phone
network, up through the stack in your phone and, finally, through
the app to the display.
Nothing can go wrong, there, right? <rolls eyes>
Apart from the obvious security and reliability worries, there is
the issue that the *manufacturer* gets to decide when *your* device
is obsolete.
The device has a limited life expectancy, anyway. About 10 years. The
boiler needs replacement of rubber gasket every year or two. There is a
mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
A dodge occurs to me: Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces. Set the firewall to accept only one of a small set of white
listed sources, and otherwise not to reply.
White lists have the advantage of immunity to attempts from random
places. The lack of response if not white listed will defeat most
port IP address and scanners, even though the firewall most likely can
be hacked if known.
Upgrade the firewall from time to time, to sorta keep up with the
threats.
Joe Gwinn
Yeah, I'm REALLY eager to turn on the factory's WiFi interfaceI insisted that our new cooktops have no electronics. Well, they have igniters but you can still light them with a match.
for the stove/oven... NOT!
We have a dual oven that for some reason has one section with a
classic pneumatic thermostat and the other with electronic controls.
Guess which is broken.
Over here, there is a safety "thing" (I don't know the name). When hot, it opens the gas valve, so that if the flame extinguishes, it goes cold, and closes the valve. It could be based on the Seebeck effect, so arguably electronics.
I believe it is mandatory.
The device has a limited life expectancy, anyway. About 10 years. The
boiler needs replacement of rubber gasket every year or two. There is a
mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
A dodge occurs to me: Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces. Set the firewall to accept only one of a small set of white
listed sources, and otherwise not to reply.
White lists have the advantage of immunity to attempts from random
places. The lack of response if not white listed will defeat most
port IP address and scanners, even though the firewall most likely can
be hacked if known.
Upgrade the firewall from time to time, to sorta keep up with the
threats.
Red/Blue team exercises are incredibly educational! Until you actually
try to break security, you don't realize just how silly most mechanisms actually are!
On 2024-12-12 22:09, john larkin wrote:
Yeah, I'm REALLY eager to turn on the factory's WiFi interfaceI insisted that our new cooktops have no electronics. Well, they have
for the stove/oven... NOT!
igniters but you can still light them with a match.
Over here, there is a safety "thing" (I don't know the name). When hot,
it opens the gas valve, so that if the flame extinguishes, it goes cold,
and closes the valve. It could be based on the Seebeck effect, so
arguably electronics.
I believe it is mandatory.
We have a dual oven that for some reason has one section with a
classic pneumatic thermostat and the other with electronic controls.
Guess which is broken.
On 12/12/2024 2:31 PM, Joe Gwinn wrote:
The device has a limited life expectancy, anyway. About 10 years. The
boiler needs replacement of rubber gasket every year or two. There is a
mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
A dodge occurs to me: Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces. Set the firewall to accept only one of a small set of white
listed sources, and otherwise not to reply.
First, not all ISPs will allow inbound connections. E.g., many
hide their subscribers behind NAT so incoming connections can't
find specific hosts.
Second, there is nothing that prevents a device THAT YOU HAVE
WILLINGLY INSTALLED from having malware in it that compromises
your internal network. This, because most folks only implement
perimeter security mechanisms. So, a device is free to "call out"
and open a connection that allows an external actor to get past
any such peripheral defenses.
And, because any of your protections likely deal with the
internal vs. external networks as separate, homogenous entities,
there is no way for you to easily determine where (physically)
traffic is originating or terminating. A device can pretend (from
the standpoint of packet inspection) to be any device on "your"
network.
[There are commercial devices available with exactly this capability,
used for pen-testing.]
White lists have the advantage of immunity to attempts from random
places. The lack of response if not white listed will defeat most
port IP address and scanners, even though the firewall most likely can
be hacked if known.
Many appliances advertise their presence -- through established
protocols. So, in addition to knowing it is there, they know WHAT
the device is and what rev level software, etc.
Building a collection of scripts that target specific vulnerabilities
in specific devices is then a practical attack plan.
Upgrade the firewall from time to time, to sorta keep up with the
threats.
The only practical way to protect a device (or network) is to impose constraints on both ends.
E.g., my "knock protocol" burdens folks who try to access my server.
But, it keeps the server secure -- and well hidden.
In my distributed system project, I use separate tunnels from each
device to the switch. So, the credentials for the device connected to
port #5 are of no value to you if you try to access the network
via port #8.
Furthermore, I know WHAT is at the end of each of those wires and
dynamically control the interactions allowed over those connections.
E.g., an "exposed/accessible" security camera should never have a need
to issue a command to open the garage door. And, any attempt to do so (assuming the encryption has been compromised by reverse-engineering
THE camera that was previously attached to that wire), will cause
the system to mark that network port ("wire") as tainted. So, even if
you tried to feed bogus video (because I *think* you are a camera)
to the system, it would ignore that input.
Red/Blue team exercises are incredibly educational! Until you actually
try to break security, you don't realize just how silly most mechanisms actually are!
On 12/12/2024 1:42 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
On 12/12/2024 12:32 PM, Edward Rawde wrote:
Is there any reason the camera can't talk to a phone that is also
hosted by the customer's access point?
If you want to let the camera access a phone that is NOT "local",
then let the user subscribe to a DynDNS service -- provided by
any number of competing firms (even the manufacturer -- via a nice
clean OPEN interface).
Inbound is problematic for various reasons.
Do you want your cameras accepting inbound connections from anywhere in the world?
Vendors have no problem selling "hubs" as a prerequisite to talk to
their devices. Why can't the hub implement a packet filter?
One reason is that the packet filtering would have to be configured specifically for local requirements.
This gets us back to the issue of most people not knowig a packet filter if they fell over it.
Most users have banal needs for a firewall. If running Windows hosts,
then the filter in the host is even finer-grained than a filter in
an external firewall (as the host-based filter can be tailored
to specific applications).
Use that as a selling point: the hub can act to protect the
local network (for a fee!!) while their access point/router likely
has not been reliably configured for that purpose.
Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
firmware updates.
Simply putting the camera (or any device manufactured by someone who
may or may not be trustworthy) on your "internal network puts you
at risk.
E.g., I can open an outbound connection to hostile_actor.com and let
an external agent act as command-and-control, telling me (the camera)
what to do ON THE INTERNAL NETWORK.
I don't permit outbound connections to a long list of countries.
You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter defenses" (WELCOMED in!) can act on behalf of some other agency.
IP filtering doesn't buy you any real protection.
I (the camera) can masquerade as any host INSIDE your network when I
want to deliver data to an external agent. Because I can DYNAMICALLY
set my network stack to masquerade as any IP address on a packet-to-packet basis.
And, I have a good idea what the range of valid IP addresses for your internal network will be -- based on the address and netmask that you assigned to *me* when I was installed (or, negotiated my DHCP lease). Likewise, I can claim my MAC is anything that I want it to be!
If you happen to peruse the logs, there is nothing that tells you
over which "wire" the request came into your switch, AP, etc. So,
you would have to eliminate devices until you stopped seeing "suspicious" traffic.
All this assuming you are capable of doing so.
I can always whitelist if it does turn out that I need to connect to a server in one of those countries.
See above.
This traffic can be disguised to look innocuous. E.g., resolving
"whatshouldIdo.hostile_actor.com" can deliver data to the camera that
can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com". >>> Results can be delivered to the external agency by resolving
"thepasswordisFOOBAR.hostile_actor.com", etc.
Or, open an HTTP connection to hostile_actor.com and anyone looking
through the logs (ha!) would just think a user visited a website of
with an oddly suspicious domain name. (So, buy up yahooo.com,
goggle.com, etc.)
I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
attempting brute force to a blacklist.
But most people have no interest in that.
Hence the value of a "hub".
I "hide" my file server behind a particular "knock sequence" that is
only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
connection is secure.
Knowing that a server exists is information. (esp if your AUP
prohibits them! :> ) Knowing that there is <something> sitting
at an IP invites probes.
An address that never reacts to your actions is uninteresting.
And, unless you can snoop the actual traffic, you can't know that
the address is actually actively moving data!
Once a connection is granted, there are no limits on what can be
transfered (set up a tunnel and all of those transactions are hidden)
Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
pictures to be viewed by anyone other than themselves.
<https://www.shodan.io/search?query=camera>
Even if you can't (easily) access the video, the fact that someone has
INSTALLED a camera (five cameras??) has informational value.
A nearby store installed cameras not long ago.
The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.
Many parts of the US deliver "utilities" (phone, cable, power) via
overhead wiring: "telephone poles". There exist transformers
on these poles (at regular intervals) to step down the mains to
the 240V center tapped that feeds our homes.
Several decades ago, a "transformer" was installed on such a pole
(why was it SUDDENLY needed, there?) outside from a business that
sold "growing supplies" to folks who were suspected of being marijuana growers.
The joke was that the transformer had NO wires (primary or secondary) attached to it. And, a large, rectangular region that resembled a
"window" -- on the side facing the business.
"Gee, wanna bet that's a (really poorly disguised) camera??" :>
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
On 12/12/2024 2:31 PM, Joe Gwinn wrote:
The device has a limited life expectancy, anyway. About 10 years. The
boiler needs replacement of rubber gasket every year or two. There is a >>>> mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
A dodge occurs to me: Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces. Set the firewall to accept only one of a small set of white
listed sources, and otherwise not to reply.
First, not all ISPs will allow inbound connections. E.g., many
hide their subscribers behind NAT so incoming connections can't
find specific hosts.
They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
Previously the IP had been sufficiently static but not totally static.
Second, there is nothing that prevents a device THAT YOU HAVE
WILLINGLY INSTALLED from having malware in it that compromises
your internal network. This, because most folks only implement
perimeter security mechanisms. So, a device is free to "call out"
and open a connection that allows an external actor to get past
any such peripheral defenses.
It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free access
to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
packet filtered as necesary.
And, because any of your protections likely deal with the
internal vs. external networks as separate, homogenous entities,
there is no way for you to easily determine where (physically)
traffic is originating or terminating. A device can pretend (from
the standpoint of packet inspection) to be any device on "your"
network.
That still doesn't mean it has access credentials for anything it shouldn't have.
Most users have banal needs for a firewall. If running Windows hosts,
then the filter in the host is even finer-grained than a filter in
an external firewall (as the host-based filter can be tailored
to specific applications).
The host based filter is worthless if the user is administrator (like most Windows users are) because malware can configure/disable
the firewall as it likes.
I don't permit outbound connections to a long list of countries.
You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter >> defenses" (WELCOMED in!) can act on behalf of some other agency.
IP filtering doesn't buy you any real protection.
It does if you watch the logs for anything unusual.
A connection to a neighbor IP address would be obvious to me and I'd likely block it to see if anything legitimate breaks.
Just like I watch who goes in and out of my house and who I give keys to. Imagine owning a house where you can't tell who comes and goes or who has keys.
That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
cleanup.
I "hide" my file server behind a particular "knock sequence" that is
only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
connection is secure.
Knowing that a server exists is information. (esp if your AUP
prohibits them! :> ) Knowing that there is <something> sitting
at an IP invites probes.
Knowing that there's a house there is information.
Or in the country I'm from, knowing that there's a castle there is information but if it's surrounded by a moat then good luck
getting in unseen.
Violation of the access protocol could get you an arrow or cannon ball up your somewhere in the past.
An address that never reacts to your actions is uninteresting.
And, unless you can snoop the actual traffic, you can't know that
the address is actually actively moving data!
In many cases you can infer. 1.2.3.0/24 and if you know 1.2.3.20 is active then the rest are likely doing someting potentially
interesting.
Several decades ago, a "transformer" was installed on such a pole
(why was it SUDDENLY needed, there?) outside from a business that
sold "growing supplies" to folks who were suspected of being marijuana
growers.
The joke was that the transformer had NO wires (primary or secondary)
attached to it. And, a large, rectangular region that resembled a
"window" -- on the side facing the business.
"Gee, wanna bet that's a (really poorly disguised) camera??" :>
It must have been powered by something, even if everything else was wireless.
On 12/12/2024 4:50 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
On 12/12/2024 2:31 PM, Joe Gwinn wrote:
The device has a limited life expectancy, anyway. About 10 years. The >>>>> boiler needs replacement of rubber gasket every year or two. There is a >>>>> mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
A dodge occurs to me: Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces. Set the firewall to accept only one of a small set of white >>>> listed sources, and otherwise not to reply.
First, not all ISPs will allow inbound connections. E.g., many
hide their subscribers behind NAT so incoming connections can't
find specific hosts.
They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
Previously the IP had been sufficiently static but not totally static.
I prefer hiding behind NAT as it makes it that much harder for
unwanted incoming connections.
Second, there is nothing that prevents a device THAT YOU HAVE
WILLINGLY INSTALLED from having malware in it that compromises
your internal network. This, because most folks only implement
perimeter security mechanisms. So, a device is free to "call out"
and open a connection that allows an external actor to get past
any such peripheral defenses.
It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free
access
to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
packet filtered as necesary.
You don't REALLY think all of theses security breaches happen because
a piece of malware HAS valid credentials? If that was all it took
to secure a network, just put 16 character "license plate" passwords
on all accounts and don't worry about a breach until Hell starts getting really cold!
Once you are inside a perimeter defense, you can poke at machines
at your leisure and accumulate results, sharing them with your
external "accomplice" as need be for further refinement and instruction.
Imagine Joe Super Hacker having a network drop in your spare
bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
that he will attempt? Can you lock down the data that he steals before
it gets out past your firewall?
[If so, then why do so many "professional organizations" have problems
doing this?]
And, because any of your protections likely deal with the
internal vs. external networks as separate, homogenous entities,
there is no way for you to easily determine where (physically)
traffic is originating or terminating. A device can pretend (from
the standpoint of packet inspection) to be any device on "your"
network.
That still doesn't mean it has access credentials for anything it shouldn't have.
See above.
On 12/12/2024 4:36 PM, Edward Rawde wrote:
Most users have banal needs for a firewall. If running Windows hosts,
then the filter in the host is even finer-grained than a filter in
an external firewall (as the host-based filter can be tailored
to specific applications).
The host based filter is worthless if the user is administrator (like most Windows users are) because malware can
configure/disable
the firewall as it likes.
It's not going to suddenly decide that, e.g., PhotoShop needs access to
the internet!
I don't permit outbound connections to a long list of countries.
You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as >>> a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter
defenses" (WELCOMED in!) can act on behalf of some other agency.
IP filtering doesn't buy you any real protection.
It does if you watch the logs for anything unusual.
Do you have more than one host? Printer? etc. How many thousands of connections are you going to examine every day?
Windows machines typically run a whole slew of protocols, many of which
have dubious GENERAL value. Yet, disable one and you may find you've shutdown CIFS support. Or, network discovery protocols. Or...
A connection to a neighbor IP address would be obvious to me and I'd likely block it to see if anything legitimate breaks.
So, you work for your computer! Most folks want their computers to work
for THEM!
Just like I watch who goes in and out of my house and who I give keys to.
Imagine owning a house where you can't tell who comes and goes or who has keys.
Knowing who has keys tells you ONLY who has keys. It tells you nothing
of whether they are using them, have given them to someone else to use, etc.
Do you really spend your waking hours watching all the lockable doors on
your property? AND, connections to your computer(s)?
That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
cleanup.
A simpler solution is simply not to have anything "stealable" on a machine that can be compromised.
If you could commandeer THIS machine, remotely, you could look to see
who I correspond with. And, what I've downloaded, recently.
And, that's about it!
If you manage to install malware, then you could use it as a C&C node to manipulate other machines -- machines that I don't own (because the only other thing on this network is a printer and the modem).
And, at the next semi-annual review, I will discover your malware
and remove it -- along with taking steps to protect against reinfection (e.g., install the custom boot loader that I have on the laptop that
wipes the OS each time I boot)
I "hide" my file server behind a particular "knock sequence" that is >>>>> only known to folks who should need access to it. Trying to probe
the IP address gets you no information -- it looks like there isn't
a machine AT that IP address.
I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
connection is secure.
Knowing that a server exists is information. (esp if your AUP
prohibits them! :> ) Knowing that there is <something> sitting
at an IP invites probes.
Knowing that there's a house there is information.
Who said there is a house? :> Who says it is (physically) *here*?
Or in the country I'm from, knowing that there's a castle there is information but if it's surrounded by a moat then good luck
getting in unseen.
What difference if you can still get in and inflict whatever damage?
Imagine trying to get OUT in the event of a fire... when the drawbridge mechanism fails?
Violation of the access protocol could get you an arrow or cannon ball up your somewhere in the past.
An address that never reacts to your actions is uninteresting.
And, unless you can snoop the actual traffic, you can't know that
the address is actually actively moving data!
In many cases you can infer. 1.2.3.0/24 and if you know 1.2.3.20 is active then the rest are likely doing someting potentially
interesting.
I have ~70 hosts in my office. Yet, you'd be hard pressed to see more
than one or two (despite not deliberately trying to "hide") simply
because they are never ALL powered up (yet each needs a distinct
IP so I can power up any subset of them).
The advantage of an "internal agent" (like a pwn plug) is that it
can run 24/7/365 and patiently collect data from its observations.
Several decades ago, a "transformer" was installed on such a pole
(why was it SUDDENLY needed, there?) outside from a business that
sold "growing supplies" to folks who were suspected of being marijuana
growers.
The joke was that the transformer had NO wires (primary or secondary)
attached to it. And, a large, rectangular region that resembled a
"window" -- on the side facing the business.
"Gee, wanna bet that's a (really poorly disguised) camera??" :>
It must have been powered by something, even if everything else was wireless.
A large battery. The voltage present on the pole is ~11KV (14KV?) or more. Silly to design a surveillance device that has to accept those high voltages for power when you have all that volume to use for an energy store!
(You can always come back to visit it a month later to replace the battery and retrieve the stored video footage!)
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...
On 12/12/2024 4:50 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
On 12/12/2024 2:31 PM, Joe Gwinn wrote:
The device has a limited life expectancy, anyway. About 10 years. The >>>>>> boiler needs replacement of rubber gasket every year or two. There is a >>>>>> mandatory yearly maintenance visit. With the remote controller,
maintenance visits are every two years, because the remote server
monitors the parameters and decides when a visit is needed.
So, that convenience is decisive for me. Win win.
A dodge occurs to me: Install a simple firewall between external
Internet and internal network that hosts such things as cameras and
furnaces. Set the firewall to accept only one of a small set of white >>>>> listed sources, and otherwise not to reply.
First, not all ISPs will allow inbound connections. E.g., many
hide their subscribers behind NAT so incoming connections can't
find specific hosts.
They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
Previously the IP had been sufficiently static but not totally static.
I prefer hiding behind NAT as it makes it that much harder for
unwanted incoming connections.
Second, there is nothing that prevents a device THAT YOU HAVE
WILLINGLY INSTALLED from having malware in it that compromises
your internal network. This, because most folks only implement
perimeter security mechanisms. So, a device is free to "call out"
and open a connection that allows an external actor to get past
any such peripheral defenses.
It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free
access
to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
packet filtered as necesary.
You don't REALLY think all of theses security breaches happen because
a piece of malware HAS valid credentials? If that was all it took
to secure a network, just put 16 character "license plate" passwords
on all accounts and don't worry about a breach until Hell starts getting
really cold!
Once you are inside a perimeter defense, you can poke at machines
at your leisure and accumulate results, sharing them with your
external "accomplice" as need be for further refinement and instruction.
Imagine Joe Super Hacker having a network drop in your spare
bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
that he will attempt? Can you lock down the data that he steals before
it gets out past your firewall?
[If so, then why do so many "professional organizations" have problems
doing this?]
One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log analysis
scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
Let's take a hospital with myriad networked devices on various networks.
Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?
Organizations (like hospitals) typically have SCORES of IT folks.
In addition to out-sourced "specialists".
Banks and other groups with obvious financial exposure to such
losses likely considerably more. Governments? Firms involved
with that sort of technology?
On 12/12/2024 6:31 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...
On 12/12/2024 4:50 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...Once you are inside a perimeter defense, you can poke at machines
On 12/12/2024 2:31 PM, Joe Gwinn wrote:
at your leisure and accumulate results, sharing them with your
external "accomplice" as need be for further refinement and instruction. >>>
Imagine Joe Super Hacker having a network drop in your spare
bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
that he will attempt? Can you lock down the data that he steals before
it gets out past your firewall?
[If so, then why do so many "professional organizations" have problems
doing this?]
One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log
analysis
scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
Let's take a hospital with myriad networked devices on various networks.
Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?
Organizations (like hospitals) typically have SCORES of IT folks.
In addition to out-sourced "specialists".
Banks and other groups with obvious financial exposure to such
losses likely considerably more. Governments? Firms involved
with that sort of technology?
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfvvb$310fn$1@dont-email.me...
On 12/12/2024 4:36 PM, Edward Rawde wrote:
Most users have banal needs for a firewall. If running Windows hosts, >>>> then the filter in the host is even finer-grained than a filter in
an external firewall (as the host-based filter can be tailored
to specific applications).
The host based filter is worthless if the user is administrator (like most Windows users are) because malware can
configure/disable
the firewall as it likes.
It's not going to suddenly decide that, e.g., PhotoShop needs access to
the internet!
I don't permit outbound connections to a long list of countries.
You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as >>>> a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter
defenses" (WELCOMED in!) can act on behalf of some other agency.
IP filtering doesn't buy you any real protection.
It does if you watch the logs for anything unusual.
Do you have more than one host? Printer? etc. How many thousands of
connections are you going to examine every day?
Automatic (python scripts in my case) examination of successful connections (ignoring anything blocked) takes a few seconds per day
so that I can easily see anything out of the ordinary. Connection between anything on my network and another nearby IP on the same
(or not far away) ISP would have been obvious.
Just like I watch who goes in and out of my house and who I give keys to. >>> Imagine owning a house where you can't tell who comes and goes or who has keys.
Knowing who has keys tells you ONLY who has keys. It tells you nothing
of whether they are using them, have given them to someone else to use, etc. >>
Do you really spend your waking hours watching all the lockable doors on
your property? AND, connections to your computer(s)?
See above. Security personnel are generally trained to watch for anything unusual.
Knowing whether a complete stranger has entered your house is all that's needed.
It is of course best that they stay locked out.
That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
cleanup.
A simpler solution is simply not to have anything "stealable" on a machine >> that can be compromised.
A better solution is not to get anything compromised.
If you could commandeer THIS machine, remotely, you could look to see
who I correspond with. And, what I've downloaded, recently.
And, that's about it!
If you manage to install malware, then you could use it as a C&C node to
manipulate other machines -- machines that I don't own (because the only
other thing on this network is a printer and the modem).
And, at the next semi-annual review, I will discover your malware
and remove it -- along with taking steps to protect against reinfection
(e.g., install the custom boot loader that I have on the laptop that
wipes the OS each time I boot)
I wouldn't want to use a laptop which wipes the OS each time I boot.
Several decades ago, a "transformer" was installed on such a pole
(why was it SUDDENLY needed, there?) outside from a business that
sold "growing supplies" to folks who were suspected of being marijuana >>>> growers.
The joke was that the transformer had NO wires (primary or secondary)
attached to it. And, a large, rectangular region that resembled a
"window" -- on the side facing the business.
"Gee, wanna bet that's a (really poorly disguised) camera??" :>
It must have been powered by something, even if everything else was wireless.
A large battery. The voltage present on the pole is ~11KV (14KV?) or more. >> Silly to design a surveillance device that has to accept those high voltages >> for power when you have all that volume to use for an energy store!
(You can always come back to visit it a month later to replace the battery >> and retrieve the stored video footage!)
A camera system which requires me to go up a ladder to change the large battery and retrieve the footage doesn't sound like fun to
me.
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
On 12/12/2024 2:59 AM, Martin Brown wrote:
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
Once something becomes "complex" (i.e., too large to fit in a
single brain), it becomes difficult to understand the repercussions
of specific design decisions -- because you can't remember
EVERYTHING with which they interact.
Engineers design giant systrems - cars, airplanes, bridges, buildings
- with lots of parts, and nobody understands all the parts. And they
work first time.
Software is different, and it never works first time. Most programs
don't even compile first try.
I could probably code a "Hello, world!" program that would run first
try.
On 12/12/2024 21:09, john larkin wrote:
On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
On 12/12/2024 2:59 AM, Martin Brown wrote:
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
Once something becomes "complex" (i.e., too large to fit in a
single brain), it becomes difficult to understand the repercussions
of specific design decisions -- because you can't remember
EVERYTHING with which they interact.
Engineers design giant systrems - cars, airplanes, bridges, buildings
- with lots of parts, and nobody understands all the parts. And they
work first time.
There are hundreds of years experience building large physical objects and customers can more or less understand engineering diagrams and now virtual 3D renderings of their new building made possible by software.
It didn't stop someone during build phase connecting a high pressure steam pipe
to a stairway handrail on one plant that I know of. Big engineering diagrams can also be confusing when loads of similar diameter pipes (and non-pipes) go through a partition.
Software is still in the medieval cathedral building era but without the make walls thicker just in case strategy. It is still a good heuristic that if it is
still standing after 5 years then it was a good 'un.
Ely cathedral on the fens and the crooked spire at Chesterfield are examples that didn't quite fall down but don't quite look as designed.
https://www.elycathedral.org
https://en.wikipedia.org/wiki/Church_of_St_Mary_and_All_Saints,_Chesterfield
Software is different, and it never works first time. Most programs
don't even compile first try.
It is better if they don't compile at all until they are nearly correct. The more faults that are found at compile time the better. Static code analysis has
done a lot to improve software quality in the past decade.
The big problem is that software developers get lumped with last minute changes
caused by salesmen promising new features to customers and to hide hardware defects that electronics engineers left in and need to be remediated in software because manufacturing has already started.
Mission creep (or starting out with nothing even resembling a coherent self consistent requirements specification) is a big factor in large scale software
failures. We are stuck with the suits saying ship it and be damned we can always update the software later with something that actually works. Hardware tends to be immutable even when there is a significant fault present software is expected to kludge around it.
Unfortunately most projects at universities are sufficiently small that anyone
who is even reasonably good at programming can hack a solution out of the solid
more quickly and without using the processes needed for large scale software development.
I could probably code a "Hello, world!" program that would run first
try.
That is the problem. Anything under about 3 man months you can get away with murder (and that means most university teaching projects). Things start to get
a bit sticky when you are talking 3 man years and above.
If you so despise software why are you using Spice and why are you not still cutting up bits of red and blue sticky tape?
Software mostly works and you have
to learn to live with its quirks or write your own.
On 12/13/2024 2:55 AM, Martin Brown wrote:
On 12/12/2024 21:09, john larkin wrote:
On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
On 12/12/2024 2:59 AM, Martin Brown wrote:
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
Once something becomes "complex" (i.e., too large to fit in a
single brain), it becomes difficult to understand the repercussions
of specific design decisions -- because you can't remember
EVERYTHING with which they interact.
Engineers design giant systrems - cars, airplanes, bridges, buildings
- with lots of parts, and nobody understands all the parts. And they
work first time.
In my lifetime (or of sufficiently common "lore"):
Hindenberg explosion
Tacoma Narrows Bridge collapse
Chernobyl reactor
Hyatt Regency walkway collapse
Apollo 1 fire
Apollo 13 O2 tank explosion
Space Shuttle Challenger
Space Shuttle Columbia
Skylab
Fukishima nuclear plant
Deepwater Horizon fire/"spill"
Doors falling out of airplanes
Titanic
BIG! chinese dam failure (no idea of name)
World Trade Center towers
Concorde
De Gaulle airport collapse
DC-10 engine falling off
Titan submersible implosion
All, obviously, software problems??
There are hundreds of years experience building large physical objects and >> customers can more or less understand engineering diagrams and now virtual 3D
renderings of their new building made possible by software.
<https://en.wikipedia.org/wiki/List_of_aircraft_structural_failures> ><https://en.wikipedia.org/wiki/List_of_building_and_structure_collapses> ><https://en.wikipedia.org/wiki/List_of_bridge_failures> ><https://en.wikipedia.org/wiki/Dam_failure#List_of_major_dam_failures> ><https://en.wikipedia.org/wiki/List_of_hydroelectric_power_station_failures> ><https://en.wikipedia.org/wiki/List_of_thermal_power_station_failures> ><https://en.wikipedia.org/wiki/List_of_catastrophic_collapses_of_broadcast_masts_and_towers>
Bias? Or sheer Ignorance?
It didn't stop someone during build phase connecting a high pressure steam pipe
to a stairway handrail on one plant that I know of. Big engineering diagrams >> can also be confusing when loads of similar diameter pipes (and non-pipes) go
through a partition.
Or, misplumb the bedside O2 supply at the hospital where SWMBO worked.
And, we won't discuss why notes were never taken at the M&M meetings
she attended. "Something wrong? On OUR part? No....."
Software is still in the medieval cathedral building era but without the make
walls thicker just in case strategy. It is still a good heuristic that if it is
still standing after 5 years then it was a good 'un.
And, unlike EVERYTHING physical, it doesn't wear out! Annoying that folks >can't seem to design hardware that performs the same 30 - 50 years later. >Must just be shitty designs that "fail"?
Ely cathedral on the fens and the crooked spire at Chesterfield are examples >> that didn't quite fall down but don't quite look as designed.
https://www.elycathedral.org
https://en.wikipedia.org/wiki/Church_of_St_Mary_and_All_Saints,_Chesterfield >>
Software is different, and it never works first time. Most programs
don't even compile first try.
Says the Programmer. I guess an admission of a lack of skill.
It is better if they don't compile at all until they are nearly correct. The >> more faults that are found at compile time the better. Static code analysis has
done a lot to improve software quality in the past decade.
Lack of education is a big problem. Too easy to be a "programmer" without >having any real skillset -- beyond "Look, Ma, it (almost) works!" Kinda
like having a soldering iron and claiming to be an EE!
We quiz job applicants with really simple, disarming questions: How
do you sort a list? Then, watch to see HOW they reply. If they don't >*immediately* ask to better define the problem space but throw up
the name of a sort algorithm, we're pretty sure they're just
a programmer. So, we coax as much of that superficial knowledge from
them: how many sort algorithms can you name? how do they differ?
write the pseudocode for <pick_one>? Great, now write <another>?
Which is faster? (trick question) Why?
If they haven't mentioned any trees, we're SURE they're a programmer.
How would you use this algorithm to sort a list of integers? Based on
the third digit? Will the sort be stable? (do you even know what
that means?) variable length strings? A list with 1,000,000 entries? >1,000,000,000,000? What if you only have 25KB of working store?
How long will that take? How would you make it twice as fast? TEN
times faster? Programmers quickly fall by the wayside when you get
past the superficial knowledge needed to write X in language Y.
[And, if 'Y' is the language du jour, they're almost certainly a
programmer!]
Ask a programmer how much stack his code needs. Or, how big it is
(based solely on what he's committed to paper). "We need to know how
much memory to put in the device; installing a disk drive would be
foolhardy just to give you peace of mind with your estimate. We
need to order the parts NOW so manufacturing can start building product
and YOU can install your software as they are headed out the door..."
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
On Fri, 13 Dec 2024 06:18:54 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
On 12/13/2024 2:55 AM, Martin Brown wrote:
On 12/12/2024 21:09, john larkin wrote:
On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
On 12/12/2024 2:59 AM, Martin Brown wrote:
Probably because it is *so* bug.
(typo for big but Freudian slip seems OK)
Once something becomes "complex" (i.e., too large to fit in a
single brain), it becomes difficult to understand the repercussions
of specific design decisions -- because you can't remember
EVERYTHING with which they interact.
Engineers design giant systrems - cars, airplanes, bridges, buildings
- with lots of parts, and nobody understands all the parts. And they
work first time.
In my lifetime (or of sufficiently common "lore"):
Hindenberg explosion
Tacoma Narrows Bridge collapse
Chernobyl reactor
Hyatt Regency walkway collapse
Apollo 1 fire
Apollo 13 O2 tank explosion
Space Shuttle Challenger
Space Shuttle Columbia
Skylab
Fukishima nuclear plant
Deepwater Horizon fire/"spill"
Doors falling out of airplanes
Titanic
BIG! chinese dam failure (no idea of name)
World Trade Center towers
Concorde
De Gaulle airport collapse
DC-10 engine falling off
Titan submersible implosion
All, obviously, software problems??
There are hundreds of years experience building large physical objects and >>> customers can more or less understand engineering diagrams and now virtual 3D
renderings of their new building made possible by software.
<https://en.wikipedia.org/wiki/List_of_aircraft_structural_failures> >><https://en.wikipedia.org/wiki/List_of_building_and_structure_collapses> >><https://en.wikipedia.org/wiki/List_of_bridge_failures> >><https://en.wikipedia.org/wiki/Dam_failure#List_of_major_dam_failures> >><https://en.wikipedia.org/wiki/List_of_hydroelectric_power_station_failures> >><https://en.wikipedia.org/wiki/List_of_thermal_power_station_failures> >><https://en.wikipedia.org/wiki/List_of_catastrophic_collapses_of_broadcast_masts_and_towers>
Bias? Or sheer Ignorance?
What fraction of airplanes or bridges or buildings collapse? Estimate
that in PPMs.
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
They are all large organizations rather than a single location with a single firewall.
Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the myriad
reasons why breaches occur.
On 12/13/2024 11:35 AM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
They are all large organizations rather than a single location with a single firewall.
Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.
No. They have automated tools doing this work. No one spends their time manually browsing log files.
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
myriad
reasons why breaches occur.
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
On 12/13/2024 11:35 AM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
They are all large organizations rather than a single location with a single firewall.
Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.
No. They have automated tools doing this work. No one spends their time
manually browsing log files.
You must have worked for may different large organizations to know how they all do things.
Did you miss the part where I said I have automated tools (python scripts) to deal with log files?
I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
Doing that manually would be ridiculous.
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
myriad
reasons why breaches occur.
On 12/13/2024 3:03 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
On 12/13/2024 11:35 AM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
They are all large organizations rather than a single location with a single firewall.
Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.
No. They have automated tools doing this work. No one spends their time >>> manually browsing log files.
You must have worked for may different large organizations to know how they all do things.
Yes. And have colleagues at (or who have consulted with) others.
Did you miss the part where I said I have automated tools (python scripts) to deal with log files?
I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
Doing that manually would be ridiculous.
And I rely on a knock sequence. Who's spending LESS time on maintaining their
service?
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
myriad
reasons why breaches occur.
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjii9m$3ltn2$2@dont-email.me...
On 12/13/2024 3:03 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
On 12/13/2024 11:35 AM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
They are all large organizations rather than a single location with a single firewall.
Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.
No. They have automated tools doing this work. No one spends their time >>>> manually browsing log files.
You must have worked for may different large organizations to know how they all do things.
Yes. And have colleagues at (or who have consulted with) others.
Did you miss the part where I said I have automated tools (python scripts) to deal with log files?
I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
Doing that manually would be ridiculous.
And I rely on a knock sequence. Who's spending LESS time on maintaining their
service?
Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.
And it's fun to see where the brute force and other attacks come from.
Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
myriad
reasons why breaches occur.
On 12/13/2024 7:24 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjii9m$3ltn2$2@dont-email.me...
On 12/13/2024 3:03 PM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
On 12/13/2024 11:35 AM, Edward Rawde wrote:
"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
On 12/12/2024 7:50 PM, Edward Rawde wrote:
I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.
Some organizations are obviously doing a lot better then others at cybersecurity.
<https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>
at least, the ones that we KNOW about...
They are all large organizations rather than a single location with a single firewall.
Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.
No. They have automated tools doing this work. No one spends their time >>>>> manually browsing log files.
You must have worked for may different large organizations to know how they all do things.
Yes. And have colleagues at (or who have consulted with) others.
Did you miss the part where I said I have automated tools (python scripts) to deal with log files?
I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
Doing that manually would be ridiculous.
And I rely on a knock sequence. Who's spending LESS time on maintaining their
service?
Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.
And, in 40+ years, online, I've lost nothing. I guess I must be doing something wrong...
And it's fun to see where the brute force and other attacks come from.
Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.
Why would a SERVER be making *unsolicited* outbound connections?
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
myriad
reasons why breaches occur.
Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.
And, in 40+ years, online, I've lost nothing. I guess I must be doing
something wrong...
Same here. So I must be too.
And it's fun to see where the brute force and other attacks come from.
Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.
Why would a SERVER be making *unsolicited* outbound connections?
Huh? Phishing sites run web servers. No-one said that such servers make outbound connections.
I don't use knocking because it's inconvenient and it's debatable whether or not it's any better than a firewall which drops
everything which isn't from specific IP addresses or networks. Whether knocking or IP filtering is used in front of a server, the
server should still reject anything which doesn't have valid login credentials.
But I don't wish to waste time debating it any further.
The ones who have breaches more likely have managers who don't want anything touched if it's working.
So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
addresses
or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
myriad
reasons why breaches occur.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 415 |
Nodes: | 16 (2 / 14) |
Uptime: | 42:34:16 |
Calls: | 8,722 |
Calls today: | 5 |
Files: | 13,276 |
Messages: | 5,957,032 |