Hacker News new | ask | show | jobs
by tya99 2638 days ago
> Anti-cheat software seems like a great platform to launch targeted malware in-order to achieve a beachhead on a computer network: highly targeted, and effectively undetectable.

> I would expect most software developers don't sandbox their gaming machines from their work-from-home environments.

I have been worried about this for some time. In my country we have a lot of issues with metadata retention so I set something up like this[0].

I have separate VLANs:

• VLAN 1: Management (no tag, null route)

• VLAN 2: Untrusted (routes direct to ISP via ppp0)

• VLAN 3: Trusted (routes direct to ISP via ppp0)

• VLAN 4: Trusted (routes via tun0 - VPN connection for private browsing etc)

• VLAN 5: Null route for devices that do not require internet access of any kind, desk phones printers etc.

(Doesn't have to be a Raspberry Pi, you can use anything that Alpine Linux runs on which is x86_64, x86, ppc64le, s390x, armhf, aarch64 (ARM8 like Raspberry Pi 3), armv7 (Raspberry Pi 2, and friends).[1]

[0] https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

[1] https://alpinelinux.org/downloads/

The idea is that anything on VLAN2 is completely segregated at the switch and router level from the rest of my network.
1 comments
mindslight 2638 days ago
Upgrading to managed switches, I had thought about making a bunch of VLANs in a similar manner. But I ended up settling on something much simpler.

There are essentially just two segments / types of switch ports (I may have stuck with the many-vlans thing if switch ports had RGB LEDs showing what zone they were in...). First, the "trusted" network, which does switch management, servers, reasonably-behaved hosts, etc.

Then, a second "access" segment. Ports in this segment are setup to not be able to talk to one another through the switching fabric at all - the only thing they can talk to is the router. Ports on the same switch are prohibited from talking by the switch's config, and different switches are given different associated VLANs. This is good for visitors, Android, Internet of Trash, etc.

For routing, the horizon seen by each device is controlled directly by its own macaddr on the router itself. Two hosts on the same segment can see drastically different routing tables and Internet connections. This isn't perfect, as it can be easily spoofed unless I start pushing the switchport-mac mapping out to the switches. But it works for now.

But I believe "sandboxing" in the original comment was talking about the machine itself, not network access. So PC gaming means being disciplined about getting another machine, or at least a second GPU for PCIE passthrough in a VM. In general I think we're in a time of decommodification. The easiest way to sandbox between security boundaries is separate machines, of which there is an inexpensive surplus of. No need to have banking and games on the same tablet, when a second hand nexus7 (flo) is $40 on fleabay.

link
shasheene 2637 days ago
Carefully constructing a household network topology and being disciplined with separate physical machines appears to be a strong mitigation.

But will your colleagues who play competitive online games be willing to buy a separate machine used only for remote employment, and be willing (and able) to construct such a network topology correctly?

Most household routers don't even support VLANs.

link
tya99 2637 days ago
> Then, a second "access" segment. Ports in this segment are setup to not be able to talk to one another through the switching fabric at all - the only thing they can talk to is the router. Ports on the same switch are prohibited from talking by the switch's config, and different switches are given different associated VLANs. This is good for visitors, Android, Internet of Trash, etc.

Yes essentially that's what VLAN 3 and 4 are (trusted). They are able to talk to each other but VLAN 2 (untrusted) cannot. VLAN 2 cannot access my server on the LAN or any other network resources, except in certain situations where I open a single HTTP port to a specific directory that is read/only. This is where guests would be. I use this to copy 'certain' files to my untrusted hosts. The exploitation surface area is extremely low. Switch configuration can only occur when on VLAN 1 (management). I also can control which VLAN people access via WiFi via my Unifi Controller. One SSID is a trusted network, the other is untrusted. I only use EAP so I can control exactly what users have access to what VLANs via FreeRadius. All of this is documented [0][1]

> For routing, the horizon seen by each device is controlled directly by its own macaddr on the router itself.

Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful. My Windows machine where my gaming happens is "untrusted" and is in port 2 on the switch, my trusted machines are in port 3 and 4. My other family members also have certain devices they consider 'trusted' and those are in VLAN 3/4 while they have devices that are 'untrusted' in VLAN 2. It took some time to educate everyone, but I drew pictures, and explained it nicely. Unfortunately this is the world we currently live in.

I was concerned that a APT (advanced persistent threat) might have the time to monitor the system for idleness and then attempt such an activity. At least that is what I would do.

> But I believe "sandboxing" in the original comment was talking about the machine itself, not network access.

Well they are sort of the same thing in this situation because it's physical sandboxing.

> So PC gaming means being disciplined about getting another machine, or at least a second GPU for PCIE passthrough in a VM.

> In general I think we're in a time of decommodification. The easiest way to sandbox between security boundaries is separate machines, of which there is an inexpensive surplus of.

Exactly.

No need to have banking and games on the same tablet, when a second hand nexus7 (flo) is $40 on fleabay.

This is exactly my point. In regard to my mobile phone I use a Redmi Note 5, with LineageOS, without Google Apps. If I tablet gamed I would have a 7" tablet specifically for that. I would tether it to my phone via WiFi AP and the CPU/GPU would probably be more powerful than you'd get in a phone anyway.

I only install things through F-Droid. I have made a significant attempt to de-google my life and have been successful.

Right now all I have on there is

• andOTP org.shadowice.flocke.andotp

• AnySoftKeyboard com.menny.android.anysoftkeyboard

• Barcode Scanner com.google.zxing.client.android

• BusyBox ru.meefik.busybox

• Call Recorder com.github.axet.callrecorder

• DAVx⁵ at.bitfire.davdroid - Used for syncing with my private Radicale instance.

• Draw com.simplemobiletools.draw.pro

• F-Droid org.fdroid.fdroid

• Fennec F-Droid org.mozilla.fennec_fdroid

• Flym net.frju.flym - RSS yay.

• Ghost Commander com.ghostsq.commander

• K-9 Mail com.fsck.k9

• Maps com.github.axet.maps - Provides a native experience for OSM maps. If I need Google Maps I just use a web browser.

• Markor net.gsantner.markor - Awesome text editor/markdown editor

• MuPDF viewer com.artifex.mupdf.viewer.app

• oandbackup dk.jens.backup

• OpenKeychain org.sufficientlysecure.keychain - PGP mail yes.

• OpenTasks org.dmfs.tasks - Used for syncing tasks with my private Radicale instance

• OpenVPN for Android de.blinkt.openvpn

• primitive ftpd org.primftpd - I upload/download via sftp to my phone without plugging it in with ssh keys (ie /sdcard/.ssh/authorized/keys)

  sftp_phone() {lftp sftp://user:DUMMY@{{ IP_OF_PHONE }} -e 'set sftp:connect-program "ssh -a -x -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -o MACs=hmac-sha2-512,hmac-sha2-256 -i ~/.ssh/id_rsa"'}
• RedReader org.quantumbadger.redreader

• Revolution IRC io.mrarm.irc - Yeah I still use IRC and not IRC bridges, yet with Riot because of https://github.com/vector-im/riot-web/issues/2320

• Riot.im im.vector.alpha

• Share to Clipboard com.tengu.sharetoclipboard

• Silence org.smssecure.smssecure

• VLC org.videolan.vlc

[0]: http://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_...

[1]: https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

link
mindslight 2637 days ago
To put it in term of your network, I didn't want to deal with having to differentiate between VLAN3/VLAN4 switch ports (and wanted to leave room to grow multiple outgoing VPNs).

Also I don't see the need for hosts on VLAN2 to be able to talk to one another. Which enables me to default to putting decently trustable things in my access zone as well (like say an RPi running Raspbian/Kodi).

> Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful

Oh for sure, which is why I alluded to eventually pushing out per-port mac address config to the switches. But my primary concern is browser/pocketsurveillance traffic not going out my ISP's IP, and this suffices for now.

(Thanks for the dump of Free android apps you find useful. Not really on topic for the thread, but I personally appreciate it)

link