If you’re running Windows, always assume that if the US Authorities or Microsoft itself want to spy on you as an individual or on do a little industrial espionage on your company (which US agencies also do), they’ll just use a backdoor already present or at worse push an update to your machines(s) to create said backdoor.
Treat any and all software made by US companies as a foreign agent.
All the shit that the US Government and companies say about China, is pure Projection - the result of a mental process of “what would we do if we were the ones making those devices”.
(And, yeah, China probably does that shit too)
If it ain’t Open Source, you got it as a binary or it can self-update, that software is somebody else’s agent and you’re trusting their ethics and goodwill when you have it running in your system outside a sandbox.
What’s unfortunate is a significant number of people don’t like hearing this and instead choose to project onto other countries. Most of our governments aren’t our friends, regardless if you’re American or not.
I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
If you’re running Windows, always assume that if the US Authorities or Microsoft itself want to spy on you as an individual or on do a little industrial espionage on your company (which US agencies also do), they’ll just use a backdoor already present or at worse push an update to your machines(s) to create said backdoor.
Treat any and all software made by US companies as a foreign agent.
All the shit that the US Government and companies say about China, is pure Projection - the result of a mental process of “what would we do if we were the ones making those devices”. (And, yeah, China probably does that shit too)
If it ain’t Open Source, you got it as a binary or it can self-update, that software is somebody else’s agent and you’re trusting their ethics and goodwill when you have it running in your system outside a sandbox.
What’s unfortunate is a significant number of people don’t like hearing this and instead choose to project onto other countries. Most of our governments aren’t our friends, regardless if you’re American or not.
I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
I mean yeah, but I was hoping the people I share living space with would have at least been smart enough to work that out.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!