|
|
Post by housetech on Jun 15, 2022 11:06:48 GMT -5
I used to read Sir Tim Berners-Lee's website W3C and he warned us 20 yrs ago the internet, as they configured it, is adequate for what we use it for today. He expressed particular outrage that GCHQ and the NSA had weakened online security by cracking much of the online encryption on which a world of users rely to guard data privacy. Gov't spying has caused much of the loss of security. We all know nothing stays secret once the gov'ts "knows" something. There is no such thing as privacy on the net today. Berners-Lee called for greater encryption, but as usual, politicians shot it down. Gov't is always the problem, never the answer.
As of 2021, he was building a new version of the net; Solid, a new system, a decentralized version of the Internet using PODS.
VPN- not all it's advertised to be.
Boom, Java is not as safe as is claimed. Make sure you have the latest version installed.
I highly recommend you keep your router firmware updated.
As Keith stated, even when software is uninstalled, there are always bits left behind. Does Mac have HD cleaning software? A free ccleaner program does a good job on Windows.
Have you considered formatting you hard drive, reinstall OS with it's own partition and the another partition as data storage? Let the Mac be a Roon one trick pony. That's what I would do.
I prefer a SSDD used as read only (OS) and a HDD as read/write (data). I use both in one PC.
Good luck.
|
|
KeithL
Administrator 
Posts: 10,256
|
Post by KeithL on Jun 15, 2022 11:08:50 GMT -5
You are entirely correct - about " PROPER PRACTICES". And the single biggest problem with MOST modern security devices and software is that they encourage a sense of false security. There is basically NOTHING that can protect you if you CHOOSE to run a program that turns out to be dangerous. Neither an anti-virus or anti-malware program will protect you from 100% of all the threats out there. And a VPN WILL NOT ensure that "what you do online will always be safe, secure, or private". (And it absolutely WILL NOT keep you from visiting a dangerous website... or the consequences of doing so.) If you're lucky your anti-malware program MIGHT recognize that the link in that e-mail really isn't from "your bank"... But don't count on it. (That's why you NEVER click on the link in that e-mail... but go straight to your bank's website instead.) And a lot of people still don't seem to have figured out that, when they click on a link, it may or may not go where it says it does. Or that the "From" field in an e-mail header can say whatever the person sending it decides to fill in. And that, if you reply to that e-mail, the reply may or may not go to that address. The current reality is that, as a private individual, you are really NOT at risk of "someone finding your network through the Internet". That's just not the way it works these days. If you're a company, with a company website, and perhaps a big corporate network, someone may try to find a way in using something like port scanning. This makes sense because they have a starting point (or a whole bunch of them) But, to be quite blunt, nobody really cares about trying to hack into YOUR network, and there are literally billions of devices on the Internet these days. And the basic level of NAT used in all modern routers makes doing that almost impossible anyway But, as an individual, the real risks are that you will run something you shouldn't, or click on something you shouldn't, or visit a dangerous website. Or that someone will compromise a server that you routinely connect to... and so gain access to all of the customers that use it. The other catch these days is that sometimes we're forced to sacrifice security for convenience. For example... both JAVA and Active-X are at least somewhat risky from a security perspective... so disabling them would be a nice idea. But I'll bet your bank's website won't work if you disable one or both of them. (They're more concerned about pretty mouse-over buttons than about the best possible security.) And, yes, DO make sure that notice about that security update REALLY came from where you think it did... And DON'T click on the link in that e-mail anyway... Let the software do it's own direct update or go straight to the manufacturer's website and download the update Fake threat notifications... and fake security updates... are both common tricks too these days.  Incidentally, here is a list of the officially specified ranges of private IPv4 addresses: Any device that has an address in any of these ranges cannot be seen or accessed directly from the Internet. They are reserved for "inside use"... and so can only receive inbound traffic that your router specifically sends to them. (As specified in the closest thing the Internet has to "rules"... datatracker.ietf.org/doc/html/rfc1918 ) 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255 Keith, as right as you may or may not be? There is NO substitute for proper practices...... And it's dumb stuff, I'll admit. Opening certain emails or stuff from what LOOKS like your bank or credit card people. I got a note from 'amazon'which was bogus. Some of those posts will not even forward to the security people of those who they are spoofing.... I was selling something on Craigslist. Got an 'offer' from the other side of the country. They basically asked if I'd take a 2-party, Post Dated, Out of State check....for more than I was asking AND they'd shoot me a shipper. The last? A giveaway. You have NO control and the shipment can be diverted. And when it doesn't 'arrive' you are screwed. I was selling some camera gear. Got a note from Asia asking if I'd ship....'right away for my boyfriends birthday'......Sure...... All sorts of scams, which while not exactly 'internet security' are related to good practices. When I sold stuff person-to-person? I met 'em in a parking lot at a police station..... The people that did Gibson Research did 'Shields Up' which was a valuable learing experience at that time. I don't know about today, it's been years. At hacker conventions? OS is almost always 'the first to go'......I'm not up to date and Nothing is static, but I'd be surprised if the war was over, in favor of the OS.... I'll maintain the fussing with the details can make a difference. Sure, once you do a Fundamental GOOD setup, don't mess with it. Is JAVA still a thing? Delete? Reduce your profile by one more program...... And if you get notice to install security updates? Probably a good idea. |
|
KeithL
Administrator
Posts: 10,256
|
Post by KeithL on Jun 15, 2022 11:13:29 GMT -5
To be fair I wouldn't expect any reasonably modern computer to have trouble doing so... which includes any Mac Mini with dual-cores or better. And, if it was traffic related, or due to load issues when Roon is downloading something, or doing some sort of database update, I would expect it to only happen occasionally (and it would be obvious that the problem coincided with some other sort of activity.) It seems more likely to be some sort of port timing issue... which would be related to something in the configuration... or a driver issue of some sort. Although the machine is an older one, it still runs the latest OS. To preserve its utility, I’ve added a 2TB SSD, and installed all the RAM it could hold. With only Roon running, it may be OK. Should it not be, my next choice would be a custom built Linux box used exclusively for Roon. I’ve not had an issues running my 2012 Mac Mini for Roon and an attached HHD. Simple and easy. Granted that a brand new Mac Mini may run a split hair faster but I don’t believe it’s worth any more investment then the older steady as she goes 2012 MM |
|
|
|
Post by Boomzilla on Jun 15, 2022 11:16:54 GMT -5
Alles lookenspeepers! Das komputen machine ist nicht for sightseeren unt gerfingerpoken!
Boom
|
|
KeithL
Administrator
Posts: 10,256
|
Post by KeithL on Jun 15, 2022 11:28:36 GMT -5
I don't disagree with anything you said... but you can't blame the government for everything. It's not just the politicians who aren't interested in better security. End users will ALWAYS take convenience over security. And vendors will always, in the end, favor proprietary solutions if they can get away with it. (And, without a standard, most people won't pick a proprietary solution for something like e-mail.) And, as long as most of them have that priority, security is going to be at a stalemate. I would say that e-mail is an excellent case in point. The current e-mail system was never designed to be especially secure. E-mails aren't even encrypted. And there are secure encrypted e-mail systems available. But nobody I know bothers to use one. Even two-factor authentication is having a difficult go of being established. When I signed on with PayPal many years ago they offered a hardware security token... It worked quite well... and I had mine for years. (They actively promoted it for several months but, after that, you had to really dig to even find out about it.) But when my token died a few years ago they refused to replace it. It's been replaced with a "phone based token app" which is certainly less secure... (I don't even know if they still have that or if now it's only "well send you a number on your phone".) And I'll bet the vast majority of their customers don't even bother to use that... (And just try to convince your bank to give you a new debit card that DOESN'T do "tap to pay".) End users always think better security is a great idea... But, as soon as it comes to putting in a little effort, they always go with convenience... And, until a significant number of users actually ask for better security, and show that they'll actually use it, it isn't going to change. What's interesting is how many end users are fearful enough these days to "want" or believe they "need" better security... Which is why we see so many promises from VPN companies, and anti-virus companies, and even the little stamper that prints black stripes on your bills... And an app they can put on their phone is OK... and asking them to actually read a text may be OK... but don't ask them to actually carry a separate security token... Most end users almost ALWAYS want, and choose, the easy solution... I used to read Sir Tim Berners-Lee's website W3C and he warned us 20 yrs ago the internet, as they configured it, is adequate for what we use it for today. He expressed particular outrage that GCHQ and the NSA had weakened online security by cracking much of the online encryption on which a world of users rely to guard data privacy. Gov't spying has caused much of the loss of security. We all know nothing stays secret once the gov'ts "knows" something. There is no such thing as privacy on the net today. Berners-Lee called for greater encryption, but as usual, politicians shot it down. Gov't is always the problem, never the answer. As of 2021, he was building a new version of the net; Solid, a new system, a decentralized version of the Internet using PODS. VPN- not all it's advertised to be. Boom, Java is not as safe as is claimed. Make sure you have the latest version installed. I highly recommend you keep your router firmware updated. As Keith stated, even when software is uninstalled, there are always bits left behind. Does Mac have HD cleaning software? A free ccleaner program does a good job on Windows. Have you considered formatting you hard drive, reinstall OS with it's own partition and the another partition as data storage? Let the Mac be a Roon one trick pony. That's what I would do. I prefer a SSDD used as read only (OS) and a HDD as read/write (data). I use both in one PC. Good luck. |
|
|
|
Post by housetech on Jun 15, 2022 13:26:29 GMT -5
What really scares me the most is our power grid. For 30 years the Society of Electrical Engineers have begged Congress to spend money to strengthen the electrical grid. The power companies won't spend the money to do it. Congress refuses to spend $3-5 Billion to stop sun flares or EMP bomb damage (using shunts) that could put US in the stone age without power. But they will throw $Billions overseas and not even blink.
I've read it takes 6 months (don't know for sure) to build & ship the xformers used in the grid and I understand Siemens (in Germany) is now the only manufacturer. Maybe the ChiComs are building them. now.
That is scary.
|
|
|
|
Post by leonski on Jun 15, 2022 14:32:32 GMT -5
I have a copy of PGP from DOS days. Still on a floppy! I also experimented briefly with a program (Also DOS based) which replaced the least significan digit in a photo with YOUR message. You needed a password to 'undo' the encryption to get AT the message. It worked and when looked at the photo, was invisible. B&W photos worked best. I think it may be been possible to identify subtle color shifts by eye....? And while No Longer state of the art....That was in 1940 or so? I'd LOVE a software version of ENIGMA. The German Naval Version was quite the best of the bunch. The Allies used brute force to limitied results but had the best results when after taking a German ship, taking the code book (next couple months of keys) and a set of rotors. The rotors were updated and I think at the end of the war? maybe 7 or 'em? And I think they added a 4th rotor to the machine...... Very secure for its time.......though a modern confuser should crack it in seconds. www.macs.hw.ac.uk/~foss/valentin/Naval%20Enigma.html |
|
|
|
Post by Boomzilla on Jun 15, 2022 15:48:55 GMT -5
|
|
|
|
Post by leonski on Jun 15, 2022 15:50:05 GMT -5
At one point the future of private communication was what is called PUBLIC KEY ENCRYPTION.
Each user has a public key which is on what is called a 'keyring server'.......You can get a public key
for anyone on such a server if you wish to send them a message.
And each user has a PRIVATE key which is not shared.
So? If I wish to send YOU a message and not have it open to prying eyes? I use your public key to encrypt the message.
And to make SURE it is from me? I SIGN the message using my PRIVATE key.
So when you get the message> You Reverse the process. You Decrypt using your own personal key. OUt pops a
message but the signature is still 'scrambled'. You than you use my PUBLIC key and out pops my signiture.
Public and private keys are NOT mathmatically related so you can't figure out one, knowing the OTHER.
Key length is important and makes brute force attacks UnFeasible. So If you use a 128 bit key? Darn Good.
But 256 is crazy and uncrackable.
That is? Until quantum computing becomes the norm and than I suspect a Brute Force attack, as was largely successful
when Enigma was the norm.....would again be possible.....
Human Engineering may still provide an avenue into such cryptosystems.......
|
|
KeithL
Administrator
Posts: 10,256
|
Post by KeithL on Jun 15, 2022 16:33:23 GMT -5
Public key encryption is still used in lots of things... including LS/SSL and HTTPs... and modern WiFi protocols... But all of the key exchanges are now done behind the scenes. That's why HTTPs really is quite secure... at least between the two end-points... If you want that sort of security you have someone connect and log in to a secure website that uses HTTPs... (The "certificate authority" is pretty much taking the place of your "keyring server".) The NSA figures that quantum computing won't obsolete public key encryption for a few years yet... And, if you're willing to actually go to the trouble to personally exchange keys, good old symmetrical encryption is still quite reliable. (Just use something standard and not some proprietary "secret sauce" that belongs to one specific product or vendor - some of them are really bad.) But when is the last time you actually saw someone use PGP for e-mail? There have been attempts to offer commercial encrypted e-mail options... But I can't think of any that have been especially successful... Although there may still be a few around that are used by a few big companies... But what end user wants secure e-mail that only they and a few of their friends can read? (And there are other messaging systems that do offer pretty good security.) Nowadays most of the weak points are outside the cryptography itself. For example I could send you a piece of malware that would replace a few files on your computer. Then, the next time you ran "PGP", it would be my phony copy, which would pretend to unlock a phony keyring when you entered your password. It's harder than you might think to avoid attacks like that. If you like reading about this sort of thing check out: www.schneier.com/And, if you want to see lots of current info about security in general, check out: www.infosecurity-magazine.com/news/Notice that virtually all "attacks" are carried out against large organizations... Whereas simple users generally fall victim to various scams and phishing campaigns (which they could usually avoid simply by being careful)... At one point the future of private communication was what is called PUBLIC KEY ENCRYPTION. Each user has a public key which is on what is called a 'keyring server'.......You can get a public key for anyone on such a server if you wish to send them a message. And each user has a PRIVATE key which is not shared. So? If I wish to send YOU a message and not have it open to prying eyes? I use your public key to encrypt the message. And to make SURE it is from me? I SIGN the message using my PRIVATE key. So when you get the message> You Reverse the process. You Decrypt using your own personal key. OUt pops a message but the signature is still 'scrambled'. You than you use my PUBLIC key and out pops my signiture. Public and private keys are NOT mathmatically related so you can't figure out one, knowing the OTHER. Key length is important and makes brute force attacks UnFeasible. So If you use a 128 bit key? Darn Good. But 256 is crazy and uncrackable. That is? Until quantum computing becomes the norm and than I suspect a Brute Force attack, as was largely successful when Enigma was the norm.....would again be possible..... Human Engineering may still provide an avenue into such cryptosystems....... |
|
KeithL
Administrator
Posts: 10,256
|
Post by KeithL on Jun 15, 2022 16:39:58 GMT -5
By today's standards Enigma would be pretty weak... The whole fun part is that it was done with mechanical machinery... Hiding messages in pictures (among other places) is called steganography... And, of course, you can encrypt the message first, then hide it in the picture... And it's still around... resources.infosecinstitute.com/topic/steganography-and-tools-to-perform-steganography/Incidentally... here's a Microsoft Enigma Machine simulator... it's a free app so have fun: apps.microsoft.com/store/detail/enigma-machine/9WZDNCRDGKZD?hl=en-us&gl=USI have a copy of PGP from DOS days. Still on a floppy! I also experimented briefly with a program (Also DOS based) which replaced the least significan digit in a photo with YOUR message. You needed a password to 'undo' the encryption to get AT the message. It worked and when looked at the photo, was invisible. B&W photos worked best. I think it may be been possible to identify subtle color shifts by eye....? And while No Longer state of the art....That was in 1940 or so? I'd LOVE a software version of ENIGMA. The German Naval Version was quite the best of the bunch. The Allies used brute force to limitied results but had the best results when after taking a German ship, taking the code book (next couple months of keys) and a set of rotors. The rotors were updated and I think at the end of the war? maybe 7 or 'em? And I think they added a 4th rotor to the machine...... Very secure for its time.......though a modern confuser should crack it in seconds. www.macs.hw.ac.uk/~foss/valentin/Naval%20Enigma.html |
|
|
|
Post by leonski on Jun 15, 2022 16:48:43 GMT -5
By today's standards Enigma would be pretty weak... The whole fun part is that it was done with mechanical machinery... Hiding messages in pictures (among other places) is called steganography... And, of course, you can encrypt the message first, then hide it in the picture... And it's still around... resources.infosecinstitute.com/topic/steganography-and-tools-to-perform-steganography/Incidentally... here's a Microsoft Enigma Machine simulator... it's a free app so have fun: apps.microsoft.com/store/detail/enigma-machine/9WZDNCRDGKZD?hl=en-us&gl=USI have a copy of PGP from DOS days. Still on a floppy! I also experimented briefly with a program (Also DOS based) which replaced the least significan digit in a photo with YOUR message. You needed a password to 'undo' the encryption to get AT the message. It worked and when looked at the photo, was invisible. B&W photos worked best. I think it may be been possible to identify subtle color shifts by eye....? And while No Longer state of the art....That was in 1940 or so? I'd LOVE a software version of ENIGMA. The German Naval Version was quite the best of the bunch. The Allies used brute force to limitied results but had the best results when after taking a German ship, taking the code book (next couple months of keys) and a set of rotors. The rotors were updated and I think at the end of the war? maybe 7 or 'em? And I think they added a 4th rotor to the machine...... Very secure for its time.......though a modern confuser should crack it in seconds. www.macs.hw.ac.uk/~foss/valentin/Naval%20Enigma.htmlYeah, Keith, I saw the windows version. But I hope for Mac! Maybe build one and do it the old fashioned way? |
|
hemster
Global Moderator
Particle Manufacturer
...still listening... still watching
Posts: 51,950
|
Post by hemster on Jun 15, 2022 17:18:07 GMT -5
Now we know why your moniker is Boomzilla!!  |
|
hemster
Global Moderator
Particle Manufacturer
...still listening... still watching
Posts: 51,950
|
Post by hemster on Jun 15, 2022 17:18:48 GMT -5
Now we know why your moniker is Boomzilla!! |
|
|
|
Post by marcl on Jun 15, 2022 17:26:12 GMT -5
Now we know why your moniker is Boomzilla!! Keep the house full of water, in case the back yard catches fire. |
|
|
|
Post by Boomzilla on Jun 15, 2022 19:11:26 GMT -5
Now we know why your moniker is Boomzilla!! Been there, done that, got the T-shirt. (And more than once). And just for the record... I HATE firemen. It's not that I don't respect and appreciate them, it's not that I don't understand the need for them, and it's not that I'm not glad for them to be there. But firemen, to me, are a sign of failure. If the firemen got called, then (as a safety engineer) I've failed to prevent the fire, explosion, or release that they're responding to. I'd be a happy camper if the firemen stayed around the station house & drilled, cooked really good meals, and waved at the pretty girls passing by. Just sayin'... Boomzilla Was there for this one too: |
|
|
|
Post by leonski on Jun 15, 2022 21:59:16 GMT -5
Boom,?
Any experience with SILANE? This is pyrophoric and intolerent (as you know) of ANY leak.....
|
|
|
|
Post by Boomzilla on Jun 15, 2022 22:13:01 GMT -5
Silane is one of the (very) few chemicals that I’ve managed to miss. I have, however, had experience with butadiene, ethylene-oxide, organic peroxides, pyrophoric catalysts, hydrogen, hydrogen fluoride, coke, phenol, cyanogens, and many others. My career in chemical process safety will officially end this year. I’m shutting down my consulting business and retiring. I may still do a few jobs for local clients, but I’m no longer formally doing any new work. It’ll give me more time for audio?  |
|
|
|
Post by leonski on Jun 16, 2022 0:24:54 GMT -5
Hydrogen? Is like a 'who cares' chemical where I come from. My first job in the industry? We had a cracker making hydrogen from I think amonia?. It was heated up and passed over a catalyst.....I think we replaced ours with NICKEL BALLS.
I helped administer the seives which removed moisture and 'cleaned' the gas for use. It was a double machine and would switch sides and do a 'regen' on the OTHER by timer.....
But long / short? Big deal. We had burn offs on the exit stacks of the long belt annealing furnace and alarms on THEM if a flame-out.
Worse? Stuff for Implanters. Lecture bottle of Phosphine, Arsine and Boron TriFluoride.....BF3, I think....ZERO leak tolerance. All sorts of other stuff....Some proprietary gasses used in plasma etchers.
The output product? Chewed up pumps like you do your Salad......
We had an MSDS book the size of a medium size city's Phone Book.....
Nah, The ONLY silane I worried about was PHOS DOPED for use in LPCVD......Low Pressure Chemical Vapor Depositon.....and by low temp? Maybe 425c, give or take. the phos made the 'glass' a little softer and easier to etch.
Bottle content was calibrated to yield a certain concentration in the final film. The OTHER was was to use pure phos and its OWN Mass Flow Controller plumbed into the gas distribution 'circuit'....
Man, that was fun stuff.....
One of the coolest things you could see? when Hydrogen and Oxygen were mixed in a VERY hot spot called a source furnace. The JET Of what was just incandescent LIVE STEAM was really beautiful....This steam was
used in oxidation furnaces to create a layer of SiO2 (we just called it oxide) on the top of a wafer. this was an insulation layer upon which we build most of the rest of the device....
One day I'll PM you with a story about an HF leak......downed our plant for over a month and sent a couple guys to the HOSPITAL for months.......a really AWFUL bit of history.
|
|
|
|
Post by Boomzilla on Jun 16, 2022 10:48:04 GMT -5
Thanks, but enough war stories for me. I've got my book done & I'm ready to move on.
|
|
