Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Don Y <blockedofcourse@foo.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Re:Predictive failures
Date: Tue, 16 Apr 2024 23:33:11 -0700
Organization: A noiseless patient Spider
Lines: 152
Message-ID: <uvnqg7$1f0pl$1@dont-email.me>
References: <uvjn74$d54b$1@dont-email.me> <uvjobr$dfi2$1@dont-email.me>
 <uvkn71$ngqi$2@dont-email.me>
 <uvkrig$30nb$1@nnrp.usenet.blueworldhosting.com>
 <uvl2gr$phap$2@dont-email.me> <uvm7f5$pvu$1@nnrp.usenet.blueworldhosting.com>
 <uvmaet$1231i$2@dont-email.me>
 <uvmca4$up7$1@nnrp.usenet.blueworldhosting.com>
 <uvmjmt$140d2$1@dont-email.me>
 <uvmkco$2fih$1@nnrp.usenet.blueworldhosting.com>
 <uvmqve$15hl7$2@dont-email.me>
 <uvmthn$bjm$1@nnrp.usenet.blueworldhosting.com>
 <uvn7lm$17so6$2@dont-email.me>
 <uvn96o$2o0t$1@nnrp.usenet.blueworldhosting.com>
 <uvnf00$1cu2a$1@dont-email.me>
 <uvnio7$eac$1@nnrp.usenet.blueworldhosting.com>
 <uvnlr6$1e3fi$1@dont-email.me>
 <uvnnbd$30q6$1@nnrp.usenet.blueworldhosting.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 17 Apr 2024 08:33:45 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="2b43e3ad6cfda17a11cedcbd329c2ac9";
	logging-data="1540917"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18dv60z2mJBAQwOcvip4bBD"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Cancel-Lock: sha1:IswByaB4o/lPV59MIGXkqbxxJJ0=
In-Reply-To: <uvnnbd$30q6$1@nnrp.usenet.blueworldhosting.com>
Content-Language: en-US
Bytes: 8757

On 4/16/2024 10:39 PM, Edward Rawde wrote:
> "Don Y" <blockedofcourse@foo.invalid> wrote in message
> news:uvnlr6$1e3fi$1@dont-email.me...
>> On 4/16/2024 9:21 PM, Edward Rawde wrote:
>>>> The internal network isn't routed.  So, the only machines to worry about
>>>> are
>>>> this one (used only for email/news/web) and a laptop that is only used
>>>> for ecommerce.
>>>
>>> My LAN is more like a small/medium size business with all workstations,
>>> servers and devices behind a firewall and able to communicate both with
>>> each
>>> other and online as necessary.
>>
>> I have 72 drops in the office and 240 throughout the rest of the house
>> (though the vast majority of those are for dedicated "appliances")...
>> about 2.5 miles of CAT5.
> 
> Must be a big house.

The office is ~150 sq ft.  Three sets of dual workstations each sharing a
set of monitors and a tablet (for music) -- 7 drops for each such set.
Eight drops for my "prototyping platform".  Twelve UPSs.  Four scanners
(two B size, one A-size w/ADF and a film scanner).  An SB2000 and Voyager
(for cross development testing; I'm discarding a T5220 tomorrow).
Four "toy" NASs (for sharing files between myself and SWMBO, documents
dropped by the scanners, etc.).  Four 12-bay NASs, two 16 bay.  Four
8-bay ESXi servers.  Two 1U servers.  Two 2U servers.  My DBMS server.
A "general services" appliance (DNS, NTP, PXE, FTP, TFTP, font, etc.
services).  Three media front ends.  One media tank.  Two 12 bay
(and one 24 bay) iSCSI SAN devices.

[It's amazing how much stuff you can cram into a small space when you
try hard!  :>   To be completely honest, the scanners are located in
my adjoining bedroom]

The house a bit under 2000.  But, the drops go to places that "people"
don't normally access -- with the notable exception of the 25 "uncommitted
drops":  2 in each bedroom, 2 on kitchen counters, 4 in living room,
3 in family room, 2 in dining room, front hall, back porch, front porch,
etc.

E.g., there are 4 in the kitchen ceiling -- for four "network speakers"
(controller, amplifier, network interface).  Four more in the family room
(same use).  And two on the back porch.

There's one on the roof *in* the evaporative cooler (to control the
evaporative cooler, of course).  Another for a weather station
(to sort out how best to use the HVAC options available).  Another
in the furnace/ACbrrr.

One for a genset out by the load center.  Another for a solar installation.
One to monitor utility power consumption.  Another for municipal water.
And natural gas.  One for the irrigation system.  One for water
"treatment".

One for the garage (door opener and "parking assistant").  Another for the
water heater.  Washer.  Dryer.  Stove/oven.  Refrigerator.  Dishwasher.

One for each skylight (to allow for automatic venting, shading and
environmental sensing).  One for each window (automate window coverings).

Three "control panels".  One "privileged port" (used to "introduce" new
devices to the system, securely).

Two cameras on each corner of the house.  A camera looking at the front
door.  Another looking away from it.  One more looking at the potential
guest standing AT the door.  One on the roof (for the wildlife that
invariably end up there)

One for the alarm system.  Phone system.  CATV.  CATV modem.  2 OTA TV
receivers.  2 SDRs.

10 BT "beacons" in the ceiling to track the location of occupants.
2 WiFi APs (also in the ceiling).

Etc.  Processors are cheap.  As is CAT5 to talk to them and power them.

You'll *see* the cameras, speaker grills, etc.  But, the kit controlling
each of them is hidden -- in the devices, walls, ceilings, etc.  (each
"controller" is about the size/shape/volume of a US electrical receptacle)

>>>> I have an out-facing server that operates in stealth mode and won't
>>>> appear
>>>> on probes (only used to source my work to colleagues).  The goal is not
>>>> to
>>>> look "interesting".
>>>
>>> Not sure what you mean by that.
>>> Given what gets thrown at my firewall I think you could maybe look more
>>> interesting than you think.
>>
>> Nothing on my side "answers" connection attempts.  To the rest of the
>> world,
>> it looks like a cable dangling in air...
> 
> You could ping me if you knew my IP address.

You can't see me, at all.  You have to know the right sequence of packets
(connection attempts) to throw at me before I will "wake up" and respond
to the *final*/correct one.  And, while doing so, will continue to
ignore *other* attempts to contact me.  So, even if you could see that
I had started to respond, you couldn't "get my attention".

>>>> The structure of the house's fabric allows me to treat any individual
>>>> node as being directly connected to the ISP while isolating the
>>>> rest of the nodes.  I.e., if you bring a laptop loaded with malware into
>>>> the house, you can't infect anything (or even know that there are other
>>>> hosts, here); it's as if you had a dedicated connection to the Internet
>>>> with no other devices "nearby".
>>>
>>> I wouldn't bother. I'd just not connect it to wifi or wired if I thought
>>> there was a risk.
> 
> What I mean by that is I'd clean it without it being connected.
> The Avira boot CD used to be useful but I forget how many years ago.

If you were to unplug any of the above mentioned ("house") drops,
you'd find nothing at the other end.  Each physical link is an
encrypted tunnel that similarly "hides" until (and unless) properly
tickled.  As a result, eavesdropping on the connection doesn't
"give" you anything (because it's immune from replay attacks and
it's content is opaque to you)

>> So, you'd have to *police* all such connections.  What do you do with
>> hundreds
>> of drops on a factory floor?  Or, scattered throughout a business?  Can
>> you prevent any "foreign" devices from being connected -- even if IN PLACE
>> OF
>> a legitimate device?  (after all, it is a trivial matter to unplug a
>> network
>> cable from one "approved" PC and plug it into a "foreign import")
> 
> Devices on a LAN should be secure just like Internet facing devices.

They should be secure from the threats they are LIKELY TO FACE.
If the only access to my devices is by gaining physical entry
to the premises, then why waste CPU cycles and man-hours protecting
against a threat that can't manifest?  Each box has a password...
pasted on the outer skin of the box (for any intruder to read).

Do I *care* about the latest MS release?  (ANS:  No)
Do I care about the security patches for it?  (No)
Can I still do MY work with MY tools?  (Yes)

I have to activate an iPhone, tonight.  So, drag out a laptop
(I have 7 of them), install the latest iTunes.  Do the required
song and dance to get the phone running.  Wipe the laptop's
disk and reinstall the image that was present, there, minutes
earlier (so, I don't care WHICH laptop I use!)