Path: ...!weretis.net!feeder9.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: "Edward Rawde" <invalid@invalid.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Win11 explorer bug?
Date: Thu, 12 Dec 2024 20:31:56 -0500
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Lines: 77
Message-ID: <vjg2qd$1t65$1@nnrp.usenet.blueworldhosting.com>
References: <13vgljdqp79a2onuijph2om08fk99u2fdm@4ax.com> <vjablv$14se5$1@dont-email.me> <addhljp8i0d5t42lavnd37a8e883ijhsqt@4ax.com> <vjaeii$14se5$2@dont-email.me> <gquhljd83745shtckfjgtd5u6iphkprprc@4ax.com> <vjblle$1fd6a$1@dont-email.me> <gsnjljdvnhu7m25ops26ek9lvca5eqvk2n@4ax.com> <vjec62$22pn8$1@dont-email.me> <vjefoe$23fh4$1@dont-email.me> <uj2r2lxum3.ln2@Telcontar.valinor> <vjennd$24vi6$1@dont-email.me> <vjf008$2flf4$1@dont-email.me> <sbor2lxim3.ln2@Telcontar.valinor> <t2lmljp0l4krqj1gibee87jme141m0efmp@4ax.com> <vjfobk$2vgfa$1@dont-email.me> <vjfssr$2k7k$1@nnrp.usenet.blueworldhosting.com> <vjg0hu$310fn$2@dont-email.me>
Injection-Date: Fri, 13 Dec 2024 01:31:57 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
	logging-data="62661"; mail-complaints-to="usenet@blueworldhosting.com"
Cancel-Lock: sha1:DJN3VJ7fS/TYCDRw5m8ytJKPQPc= sha256:xywqnl7NyDgp3Lwy3xSQ3BPEcFvWf3ykGcwKaaln7tY=
	sha1:4E1PfmhRrVzSaHz2gMwK3Nw4LxY= sha256:Gq73H2i4KQ9xS/+jhccMQqleNNpofAvQW+004Khj/GM=
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-MSMail-Priority: Normal
X-Priority: 3
X-RFC2646: Format=Flowed; Response
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
Bytes: 5710

"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...
> On 12/12/2024 4:50 PM, Edward Rawde wrote:
>> "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
>>> On 12/12/2024 2:31 PM, Joe Gwinn wrote:
>>>>> The device has a limited life expectancy, anyway. About 10 years. The
>>>>> boiler needs replacement of rubber gasket every year or two. There is a
>>>>> mandatory yearly maintenance visit. With the remote controller,
>>>>> maintenance visits are every two years, because the remote server
>>>>> monitors the parameters and decides when a visit is needed.
>>>>>
>>>>> So, that convenience is decisive for me. Win win.
>>>>
>>>> A dodge occurs to me:  Install a simple firewall between external
>>>> Internet and internal network that hosts such things as cameras and
>>>> furnaces.  Set the firewall to accept only one of a small set of white
>>>> listed sources, and otherwise not to reply.
>>>
>>> First, not all ISPs will allow inbound connections.  E.g., many
>>> hide their subscribers behind NAT so incoming connections can't
>>> find specific hosts.
>>
>> They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
>> Previously the IP had been sufficiently static but not totally static.
>
> I prefer hiding behind NAT as it makes it that much harder for
> unwanted incoming connections.
>
>>> Second, there is nothing that prevents a device THAT YOU HAVE
>>> WILLINGLY INSTALLED from having malware in it that compromises
>>> your internal network.  This, because most folks only implement
>>> perimeter security mechanisms.  So, a device is free to "call out"
>>> and open a connection that allows an external actor to get past
>>> any such peripheral defenses.
>>
>> It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free 
>> access
>> to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
>> packet filtered as necesary.
>
> You don't REALLY think all of theses security breaches happen because
> a piece of malware HAS valid credentials?  If that was all it took
> to secure a network, just put 16 character "license plate" passwords
> on all accounts and don't worry about a breach until Hell starts getting
> really cold!
>
> Once you are inside a perimeter defense, you can poke at machines
> at your leisure and accumulate results, sharing them with your
> external "accomplice" as need be for further refinement and instruction.
>
> Imagine Joe Super Hacker having a network drop in your spare
> bedroom.  Do you KNOW hat he is there?  Can you anticipate EVERYTHING
> that he will attempt?  Can you lock down the data that he steals before
> it gets out past your firewall?
>
> [If so, then why do so many "professional organizations" have problems
> doing this?]

One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log analysis 
scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
Let's take a hospital with myriad networked devices on various networks.
Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?

>
>>> And, because any of your protections likely deal with the
>>> internal vs. external networks as separate, homogenous entities,
>>> there is no way for you to easily determine where (physically)
>>> traffic is originating or terminating.  A device can pretend (from
>>> the standpoint of packet inspection) to be any device on "your"
>>> network.
>>
>> That still doesn't mean it has access credentials for anything it shouldn't have.
>
> See above.
>