Article <vjfhrg$saj$1@nnrp.usenet.blueworldhosting.com>

Deutsch English Français Italiano
<vjfhrg$saj$1@nnrp.usenet.blueworldhosting.com>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: "Edward Rawde" <invalid@invalid.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Win11 explorer bug?
Date: Thu, 12 Dec 2024 15:42:24 -0500
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Lines: 93
Message-ID: <vjfhrg$saj$1@nnrp.usenet.blueworldhosting.com>
References: <qieclj5ca2dsc2fnpufpg51fn7qt0u2peh@4ax.com> <vj6im4$cf7f$1@dont-email.me> <dcselj96kvngr6gid7mje3phabj2sp876t@4ax.com> <vj91de$t4hr$2@dont-email.me> <jcoglj5c0cmprqek68tah1euht1amhu9ko@4ax.com> <vj9q8g$11i0t$2@dont-email.me> <13vgljdqp79a2onuijph2om08fk99u2fdm@4ax.com> <vjablv$14se5$1@dont-email.me> <addhljp8i0d5t42lavnd37a8e883ijhsqt@4ax.com> <vjaeii$14se5$2@dont-email.me> <gquhljd83745shtckfjgtd5u6iphkprprc@4ax.com> <vjblle$1fd6a$1@dont-email.me> <gsnjljdvnhu7m25ops26ek9lvca5eqvk2n@4ax.com> <vjec62$22pn8$1@dont-email.me> <vjefoe$23fh4$1@dont-email.me> <uj2r2lxum3.ln2@Telcontar.valinor> <vjennd$24vi6$1@dont-email.me> <vjeu9v$1k7v$1@nnrp.usenet.blueworldhosting.com> <vjf6rs$2rvlf$1@dont-email.me> <vjfdof$1d8$1@nnrp.usenet.blueworldhosting.com> <vjfg9k$2tnfq$1@dont-email.me>
Injection-Date: Thu, 12 Dec 2024 20:42:24 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
	logging-data="29011"; mail-complaints-to="usenet@blueworldhosting.com"
Cancel-Lock: sha1:GycNF4NJxhffGEQjhShn7D+qgr8= sha256:xZF7wkxr69Jg62koPMY+y5Hbiuf6GnbP5AolwVVmiQo=
	sha1:AmYGU/5kndNXLR9kHliibj/z/Ic= sha256:4dTFvSL8nfP/S/ZYet6cyP4G8Vect3Up9SOP9xhR2LA=
X-MSMail-Priority: Normal
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-Priority: 3
Bytes: 6359

"Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
> On 12/12/2024 12:32 PM, Edward Rawde wrote:
>>> Is there any reason the camera can't talk to a phone that is also
>>> hosted by the customer's access point?
>>>
>>> If you want to let the camera access a phone that is NOT "local",
>>> then let the user subscribe to a DynDNS service -- provided by
>>> any number of competing firms (even the manufacturer -- via a nice
>>> clean OPEN interface).
>>
>> Inbound is problematic for various reasons.
>> Do you want your cameras accepting inbound connections from anywhere in the world?
>
> Vendors have no problem selling "hubs" as a prerequisite to talk to
> their devices.  Why can't the hub implement a packet filter?

One reason is that the packet filtering would have to be configured specifically for local requirements.
This gets us back to the issue of most people not knowig a packet filter if they fell over it.

> Use that as a selling point:  the hub can act to protect the
> local network (for a fee!!) while their access point/router likely
> has not been reliably configured for that purpose.
>
>> Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
>> firmware updates.
>
> Simply putting the camera (or any device manufactured by someone who
> may or may not be trustworthy) on your "internal network puts you
> at risk.
>
> E.g., I can open an outbound connection to hostile_actor.com and let
> an external agent act as command-and-control, telling me (the camera)
> what to do ON THE INTERNAL NETWORK.

I don't permit outbound connections to a long list of countries.
I can always whitelist if it does turn out that I need to connect to a server in one of those countries.

>
> This traffic can be disguised to look innocuous.  E.g., resolving
> "whatshouldIdo.hostile_actor.com" can deliver data to the camera that
> can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com".
> Results can be delivered to the external agency by resolving
> "thepasswordisFOOBAR.hostile_actor.com", etc.
>
> Or, open an HTTP connection to hostile_actor.com and anyone looking
> through the logs (ha!) would just think a user visited a website of
> with an oddly suspicious domain name.  (So, buy up yahooo.com,
> goggle.com, etc.)
>
>> I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
>> attempting brute force to a blacklist.
>> But most people have no interest in that.
>
> Hence the value of a "hub".
>
> I "hide" my file server behind a particular "knock sequence" that is
> only known to folks who should need access to it.  Trying to probe
> the IP address gets you no information -- it looks like there isn't
> a machine AT that IP address.

I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the 
connection is secure.

>
> Of course, the machine SEES all attempts to connect to it.  And, which
> ports and protocols are being used -- and in which sequence -- from every
> potential external IP.  So, if it sees the right combination of accesses
> in a particular time frame, it will THEN respond to a connection attempt
> for a particular service.  Or, "callback" on a preassigned port on
> the "caller's" IP address (as many ISPs frown on operating a server...
> but, no constraints on ACCESSING some external service -- even if doing
> so at the behest of said service!)
>
> Meanwhile, other attempts AT THE SAME TIME still see a "dangling wire".
>
> Once a connection is granted, there are no limits on what can be
> transfered (set up a tunnel and all of those transactions are hidden)
>
>> Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
>> pictures to be viewed by anyone other than themselves.
>
> <https://www.shodan.io/search?query=camera>
>
> Even if you can't (easily) access the video, the fact that someone has
> INSTALLED a camera (five cameras??) has informational value.

A nearby store installed cameras not long ago.
The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.

>
>