dont forget to tape your webcam

@@Crying-Croc Ethernet is very much not rare on i486 systems. And if you have a PCI board you can have USB and Wi-Fi as well, although this is obviously not normal. In terms of actual data security reasons to use a 486 over a modern CPU, they lack out-of-order execution so they are immune to attacks like Meltdown and Spectre.

5. Get hammer 6. Smash your computer

@@musicalneptunian7. Don't own a computer or any modern technology for that matter. Get rid of your mobile devices and tablets, turn on the "DUMB" TV and watch your favorite programs.

@@musicalneptunian 7. Go under a rock and never come out

Yes, mostly.

Not to mention most people just use their ISP's equipment. They disable incoming as the quick way to keep from getting sued.

Very good comment! 🙏 Deserves a pin

And the problem is that any device with a working Intel ME or AMD PSP is a compromised device.

This is a good reason to put WiFi on a separate VLAN if possible with your equipment, or even have a 'secure' WiFi for trusted devices which can access your critical infrastructure and have a 'guest' WiFi network on a separate VLAN with access to the internet but firewalled off from your critical stuff. For security, wired is your friend. 😁 Also even with NAT, UPnP if active can be opening ports exposed to the internet so best to have that turned off, at least as far as the WAN interface is concerned.

@@dingokidneys That's a very good thing yes. You don't really need a VLAN, if you have two access points they can be on different subnets. Also there's a setting for hostapd that isolates each client so they can't directly talk to each other.

Yes

My favorite is the one that goes, "The wheel on my mouse keeps on turning!"

Even then it's only (partially) disabled. Parts of it still exist because the system won't boot if fully disabled.

Get MNT Reform open hardware and firmware laptop

I haven't used their portmaster, but it does look very good. Personally, I generally do a netstat -aon or use TCPView on Windows boxes. I don't like to rely much on 3rd party software.

@@ChrisTitusTechI'll endorse your comment about 3rd party software. Use the existing basic tools and you can manage just about any system. You don't have to download a stack of other stuff before you can start to analyse a problem.

Seconded. I just had a play with Mesh Central in an attempt to see if there was an update to my Intel ME on my H87 board. Granted it's an old platform, but after a fair amount of faff, I got to the screen where it displayed my systems info but Intel ME was not anywhere to be seen. Maybe it only works if the system is newer or has a CPU with AMT.

If you care about security and are minimally competent upnp makes zero sense. If you are going to open ports in your router do it yourself.

Yeah a now you vpn provider knows what webpages are you searching.

​​@@tostadorafuriosa69Except unlike most ISPs, VPN providers generally explicitly say they don't snoop on DNS or log it. That's at least better because there's additional deterrence in the legal liability that they'd know they'd be exposing themselves to if they ever deviated from those claims.

@@PrezVetoOne thing is what they say and other what they do.

@@tostadorafuriosa69 thats why you get mullvad, which swedish authorities raided but left empty-handed because mullvad genuinely doesnt log stuff

Call me crazy, but filtering all your traffic to 1-2 companies that own most of all the VPNs in the world sounds like a bad idea. Create your own VPN if you want to filter it out of your network using a VPS. No one should ever use their ISPs DNS. Using something like NordVPN, ExpressVPN, PIA, etc. for security or privacy is just plain stupid.

Thanks, the article on their website regarding flatpak was eye opening. I had this warm fuzzy feeling that my flatpaks were somehow more secure than the OS apps due to sandboxing, guess that's not the case at all and it's even worse with flatpaks running with known vulnerable dependencies that were patched months ago. Yikes!

@@flow5718 The sandboxing can be addressed (somewhat anyway) with a tool like flatseal or the flatpak permissions module in Plasma settings. At the very least you can fix bad defaults. As for old dependencies, you have to keep track of who packages it. Official flatpaks by KDE/Gnome will be fine since it just ships the latest stuff your package manager would include. Flatpaks packaged by third parties are more risky, the bright side is it's all open so you can see what is being used. Also, keep in mind that article is really old. Some other youtube channels have addressed these concerns.

That sounds very interesting. Been using Nix for a while now, I've been very impressed. My boot time dropped from ~30 seconds to under 10 coming from Fedora, being able to hop into a development environment instantly is amazing and the snapshots give it a big edge over Arch. Pretty much the only annoyance is binary compatibility due to the directory structure compared to other Linuxes, but that's an easy fix using Distrobox.

It's not clear what you are asking. What is the limitation with your "hotspot" and what are you trying to achieve with NAT? What kind of 'hotspot' technology are you using? Is it like wireless broadband to a router that you then connect your devices to? Do you not have admin access to the router? In a domestic setting, you are generally limited to the PAT (port address translation) form of NAT meaning that you map a single port exposed on your WAN side to a single host:port combination on your LAN and this must be set up on the router.

If you have no friends its perfect.

even a password dairy is Op.

Once at that site, use the CSS drop down menu to select from Services.

A little if you remove certain services that can be exploited. A better way to do it is with harden tools. This closes a lot of attack surfaces in windows. github.com/hardentools/hardentools Just a FYI: It does disable powershell which my tweak script relies on. So, my script will not work if you lock it all down.

If I might suggest, start with your perimeter and work in. I.e. check and close off unnecessary access from the internet via your router and WiFi. Using the GRC Shields Up as Chris showed here is a great start to knowing what you are exposing to the world. Then check your router settings and shut off anything accessible from the WAN like "Remote Admin", UPnP and so forth. As for your WiFi, disable WPS, make sure you are using WPA3 if possible or at least WPA2 (not WPA or WEP) and a STRONG WiFi password. Use a password generator to make something up that is random and long; maybe 24+ characters. It's a pain to set up new devices but worth the security and you only have to do it once for each device. If you need others to have access to your network from time to time, set up a 'guest' WiFi on a different VLAN from your main stuff or at least only turn it on when you have people there who need it. It is way too easy to crack simple WiFi passwords on WPA2 and WPA/WEP pose no obstacle to any script kiddie with a Kali install on even basic hardware. Hell, I cracked my neighbours passwords on a 2008 Dell laptop running Kali with a Core 2 Duo processor. Simple passwords leave you open to the world.

@@ChrisTitusTech legend thanks @christitustech

@@dingokidneys nice thanks mate :)

"you mentioned someone can still access your Intel if its off, they would need the remoting part of windows to do this, correct?" No. The Intel Management Engine is a hardware based system. It's a secretive chip on the motherboard which runs in parallel to the CPU and has complete control over the system at the hardware level. If you have a vPro CPU with AMT enabled (generally enterprise features) your system can be controlled via Intel ME even when off as long as it has power. By controlled I mean even a remote format can be executed. The installed OS does not matter here. Intel ME on consumer CPU's and motherboards is "supposed" to be less involved but nobody really knows for sure Intel has shared very little information on the management engine.

I heard about that on Russell Brand's newest video. That thing is anti-privacy.

If the ethernet is plugged in and power is still supplied to the device, the chip in vPro Intel machines is never off. You can access it without being booted and can turn it on remotely. Check out all the "Out of Band" access ways. Pretty cool stuff... unless you get hacked using it. Fun tidbit: NordVPN had this happen in a data center and was exposed for months with the hacker having free reign.

Look again. On these types of systems an Ethernet link is usually maintained even when main power is off (obviously not if power is unplugged). This link when off can often be disabled.

Firewall should be present so that you can use an AP that is not yours (like in a Hotel).

Yubikey is a hardware USB device

There is a book that talks about using AI... essentially it is what Prevention detection is all about. you have Network intrusion detection/prevention and host based. They are pretty much firewalls in the simplest sense. The trick to these systems is that they do not follow normal distributions, (this is also the problem with neural networks in finance..) so finding attackers often has a lot of noise and may not be reliable. The ip tables idea is really simple and effective without much effort in maintaining. Once you have that the packets on the open/available ports are the tricky part. The book i am thinking of is called "Network Traffic Anomaly Detection and Prevention"

@@readypetequalmers7360I ran the SELKS stack inside Docker containers for a couple months. Suricata and Co. Pretty sure I had it configured as IPS. So it would block packets that fit a certain pattern. And I only used the free patterns available. In total there was like 30 000 patterns for me. Some patterns I had to remove/allow because they would block traffic I wanted. Works via PCAP which I think is Packet CAPture in Linux. So it checks every packet. Uses a bit of RAM and CPU. I only have a Ryzen 5600X and I was playing games and the normal stuff at the same time, so it's not that heavy, the SELKS stack. In an enterprise situation, I expect it to be much worse. Think I saw some benchmarks of transferring 50 gbit/s maxing out Xeons. Just a normal transfer. I don't know if they used a firewall. I only have 500 mbit/s internet traffic. I also tried a rudimentary/basic AI firewall. The difficulty with that is confirming it works and what it works on. How do I know what it does? False positives etc. If I send out a bunch of e-mails once a month, would it see that traffic as hostile? So you have to train it. I don't see the training period ever ending. Software changes, hardware changes, constantly.

Yeah I'd like to do that too. I've tried a few times but never put the time in to make it work well. By default they only cover known issues. The tricks that are more modern are not going to be covered by those systems. It's also likely there are a lot of false positives generated by those SNORT rules. While I like the idea of using more of those IPS like curicata and SNORT (I think these are rule based IPS) they require tuning which many normal users can't do. I like the AI idea and some have shown some good results, but same problem with false positives. The book I mentioned specifically pointed out one of the issues is the data to train on. Supervised learning models can easily miss what they have never seen, so unsupervised or statistical models are better to use at some point. Most of these are too slow to actually do the work live. One of the issues the book mentioned is that there is a lack of data on good and bad network packets. Ideally you'd have all known bad attacks in the data, but impossible to do. For good data each house has very unique situations and setups. This is where an open source network collection project might be helpful in making. People donate their packets to the cause. Just have to figure out how to anonymize that data.@@MrPunkassfuck

Maybe try using more open source software?

MS Office has more features than it's counter parts. Microsoft & it's friends want us to use their software.

Not using cracked software, instead open source as much as possible (note this assumes that alternative[s] exist).

Try Rescuezilla. It's worked great for me. Will work with just about any operating system.

That sounds like there might be more context to that story. I was worried for a moment then I saw "microOS" I think that OS is used as a basis for docker/containers. These containers are designed for running one or two apps. If software isn't running on that system there is nothing to listen on those ports. When you run a container for a web app you want those web ports open, which apache or nginx etc do.... this is only my take from the information in the comment. I do not know the rest of the story or even much about microOS.

@@readypetequalmers7360 I can somewhat understand microOS. But Aeon is designed for Desktop usage (Gnome Desktop to be exact).

ah ok makes sense... I'd stay away from Aeon. :)@@kuhluhOG

So you write them down on a notepad?

Kinda-sorta. I tape a sheet of paper to the keyboard. It doubles as a shopping list. and gets replaced often so I keep a copy on my mfp scanner.

@Crying-Croc Oh, I'm not worried about it, the laptop never leaves the house. If someone had the capability to engineer a way into my finances or other accounts it won't be through that.

And a pen, not a pencil. 😆

Unless you're some human computer I fail to see how you can write on a physical notepad with something resembling the security of AES-256. Your person and personal objects have even less protection than your home or bank accounts as they can be seized and searched for any reason (even made up ones) by local law enforcement no less.

@@flow5718 I would rather trust law enforcement entering my home than some companies. There reasonably honest here in the UK. Plus you can salt the passwords.

A note pad actually isn't the most secure option. If you can't trust your government (nobody should), then you can't trust that they'll leave your property alone. God forbid they get a warrant and search your house, now all of your most sensitive information is exposed. The most secure option that's at least somewhat practical would be an airgapped, encrypted system that does nothing but store your critical information. Use it like a notepad and nothing else.

@@mgord9518 sounds like a yubi key

you can specify it in iftables / iptables, but for the layman, most use ufw on linux for simplicity.

Ohh he has been installing Linux drunk in a couple of streams now. the best one was Ubuntu/ debian one where his liveUSB was failing but he was entertaining us live for a really long time.

I moved my data from LastPass to Bitwarden. LastPass lost a ton of customers when they decided to change to a subscription system.

I am blind, but I can see The snowflakes glisten on the trees

This is disinformation. He donated to religious organizations and those who attacked him claimed the homophobe idea.

@@readypetequalmers7360 no he legit is against gay marriage and donated for some of the worst anti-gay propaganda.