Article <uvp23k$1png$1@nnrp.usenet.blueworldhosting.com>

Deutsch English Français Italiano
<uvp23k$1png$1@nnrp.usenet.blueworldhosting.com>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder6.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: "Edward Rawde" <invalid@invalid.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Re:Predictive failures
Date: Wed, 17 Apr 2024 13:49:38 -0400
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Lines: 144
Message-ID: <uvp23k$1png$1@nnrp.usenet.blueworldhosting.com>
References: <uvjn74$d54b$1@dont-email.me> <uvjobr$dfi2$1@dont-email.me> <uvkn71$ngqi$2@dont-email.me> <uvkrig$30nb$1@nnrp.usenet.blueworldhosting.com> <uvl2gr$phap$2@dont-email.me> <uvm7f5$pvu$1@nnrp.usenet.blueworldhosting.com> <uvmaet$1231i$2@dont-email.me> <uvmca4$up7$1@nnrp.usenet.blueworldhosting.com> <uvmjmt$140d2$1@dont-email.me> <uvmkco$2fih$1@nnrp.usenet.blueworldhosting.com> <uvmqve$15hl7$2@dont-email.me> <uvmthn$bjm$1@nnrp.usenet.blueworldhosting.com> <uvn7lm$17so6$2@dont-email.me> <uvn96o$2o0t$1@nnrp.usenet.blueworldhosting.com> <uvnf00$1cu2a$1@dont-email.me> <uvnio7$eac$1@nnrp.usenet.blueworldhosting.com> <uvnlr6$1e3fi$1@dont-email.me> <uvnnbd$30q6$1@nnrp.usenet.blueworldhosting.com> <uvnqg7$1f0pl$1@dont-email.me>
Injection-Date: Wed, 17 Apr 2024 17:49:40 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
	logging-data="59120"; mail-complaints-to="usenet@blueworldhosting.com"
Cancel-Lock: sha1:wutZLdhXSTc9hrPh69u6EcLn9VE= sha256:8sxjSX16fOmqziuepJ7ZfLb96lcPYMvPggIZozyiVmI=
	sha1:x3eeaF2x9CBpdmUZ1tdhq25UuHc= sha256:sn/UHys5ATtYRM2ITtzR9ScbZMwAjpJ2gMAumFo6qy8=
X-Priority: 3
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-RFC2646: Format=Flowed; Response
X-MSMail-Priority: Normal
Bytes: 7979

"Don Y" <blockedofcourse@foo.invalid> wrote in message 
news:uvnqg7$1f0pl$1@dont-email.me...
> On 4/16/2024 10:39 PM, Edward Rawde wrote:
>> "Don Y" <blockedofcourse@foo.invalid> wrote in message
>> news:uvnlr6$1e3fi$1@dont-email.me...
>>> On 4/16/2024 9:21 PM, Edward Rawde wrote:
>>>>> The internal network isn't routed.  So, the only machines to worry 
>>>>> about
>>>>> are
>>>>> this one (used only for email/news/web) and a laptop that is only used
>>>>> for ecommerce.
>>>>
>>>> My LAN is more like a small/medium size business with all workstations,
>>>> servers and devices behind a firewall and able to communicate both with
>>>> each
>>>> other and online as necessary.
>>>
>>> I have 72 drops in the office and 240 throughout the rest of the house
>>> (though the vast majority of those are for dedicated "appliances")...
>>> about 2.5 miles of CAT5.
>>
>> Must be a big house.
>
> The office is ~150 sq ft.  Three sets of dual workstations each sharing a
> set of monitors and a tablet (for music) -- 7 drops for each such set.
> Eight drops for my "prototyping platform".  Twelve UPSs.  Four scanners
> (two B size, one A-size w/ADF and a film scanner).  An SB2000 and Voyager
> (for cross development testing; I'm discarding a T5220 tomorrow).
> Four "toy" NASs (for sharing files between myself and SWMBO, documents
> dropped by the scanners, etc.).  Four 12-bay NASs, two 16 bay.  Four
> 8-bay ESXi servers.  Two 1U servers.  Two 2U servers.  My DBMS server.
> A "general services" appliance (DNS, NTP, PXE, FTP, TFTP, font, etc.
> services).  Three media front ends.  One media tank.  Two 12 bay
> (and one 24 bay) iSCSI SAN devices.
>....
>
>>>>> I have an out-facing server that operates in stealth mode and won't
>>>>> appear
>>>>> on probes (only used to source my work to colleagues).  The goal is 
>>>>> not
>>>>> to
>>>>> look "interesting".
>>>>
>>>> Not sure what you mean by that.
>>>> Given what gets thrown at my firewall I think you could maybe look more
>>>> interesting than you think.
>>>
>>> Nothing on my side "answers" connection attempts.  To the rest of the
>>> world,
>>> it looks like a cable dangling in air...
>>
>> You could ping me if you knew my IP address.
>
> You can't see me, at all.  You have to know the right sequence of packets
> (connection attempts) to throw at me before I will "wake up" and respond
> to the *final*/correct one.  And, while doing so, will continue to
> ignore *other* attempts to contact me.  So, even if you could see that
> I had started to respond, you couldn't "get my attention".

I've never bothered with port knocking.
Those of us with inbound connectable web servers, database servers, email 
servers etc have to be connectable by more conventional means.

.....
>>>>
>>>> I wouldn't bother. I'd just not connect it to wifi or wired if I 
>>>> thought
>>>> there was a risk.
>>
>> What I mean by that is I'd clean it without it being connected.
>> The Avira boot CD used to be useful but I forget how many years ago.
>
> If you were to unplug any of the above mentioned ("house") drops,
> you'd find nothing at the other end.  Each physical link is an
> encrypted tunnel that similarly "hides" until (and unless) properly
> tickled.  As a result, eavesdropping on the connection doesn't
> "give" you anything (because it's immune from replay attacks and
> it's content is opaque to you)

I'm surprised you get anything done with all the tickle processes you must 
need before anything works.

>
>>> So, you'd have to *police* all such connections.  What do you do with
>>> hundreds
>>> of drops on a factory floor?  Or, scattered throughout a business?  Can
>>> you prevent any "foreign" devices from being connected -- even if IN 
>>> PLACE
>>> OF
>>> a legitimate device?  (after all, it is a trivial matter to unplug a
>>> network
>>> cable from one "approved" PC and plug it into a "foreign import")
>>
>> Devices on a LAN should be secure just like Internet facing devices.
>
> They should be secure from the threats they are LIKELY TO FACE.
> If the only access to my devices is by gaining physical entry
> to the premises, then why waste CPU cycles and man-hours protecting
> against a threat that can't manifest?  Each box has a password...
> pasted on the outer skin of the box (for any intruder to read).

Sounds like you are the the only user of your devices.
Consider a small business.
Here you want a minimum of either two LANs or VLANs so that guest access to 
wireless can't connect to your own LAN devices.
Your own LAN should have devices which are patched and have proper 
identification so that even if you do get a compromised device on your own 
LAN it's not likely to spread to other devices.
You might also want a firewall which is monitored remotely by somone who 
knows how to spot anything unusual.
I have much written in python which tells me whether I want a closer look at 
the firewall log or not.

>
> Do I *care* about the latest MS release?  (ANS:  No)
> Do I care about the security patches for it?  (No)
> Can I still do MY work with MY tools?  (Yes)

But only for your situation.
If I advised a small business to run like that they'd get someone else to do 
it.

>
> I have to activate an iPhone, tonight.  So, drag out a laptop
> (I have 7 of them), install the latest iTunes.  Do the required
> song and dance to get the phone running.  Wipe the laptop's
> disk and reinstall the image that was present, there, minutes
> earlier (so, I don't care WHICH laptop I use!)

You'll have to excuse me for laughing at that.
Cybersecurity is certainly a very interesting subject, and thanks for the 
discussion.
If I open one of the wordy cybersecurity books I have (pdf) at a random page 
I get this.
"Once the attacker has gained access to a system, they will want to gain 
administrator-level access to the current resource, as well as additional 
resources on the network."
Well duh. You mean like once the bank robber has gained access to the bank 
they will want to find out where the money is?

>
>