[oil25]

> Instead of assuming you could lock down your internet pipe. Use a RPi as a security appliance with strong whitelisted firewall policy. At least have some insight into what traffic is going to and from your LAN.

Not only would a Raspberry Pi be severely under-powered for routing even a small home network, in no way does monitoring that "goes to and from your LAN" defend against an adversary Snowden warns about.

> Could also put in an entirely passive NIDS on a physical layer in-line with your network’s service entrance. Very difficult for anyone to defeat, when done right.

Again, I'm not sure what threat model you think this defends against, but certainly not a three letter agency intent on either tailored exploitation nor passive monitoring of your inbound and outbound network traffic by the same actor.

[hackerrenews]

You used “either”, then “nor”, sorry I lost the point you were making. Wasn’t sure on your point about the adversary already owning the pipe.

Tailored exploitation is a good point though.

Admittedly RPi isn’t any current advice except for outdated hobbyist advice. If I cared to defend against nation state I’d avoid gen purpose CPU’s altogether and focus on in house manufactured minimal circuits, possibly fpga’s and printers or some other trusted peripherals. I’d build my own keyboards too.

The poster was concerned about video being hacked. This would be hard to hide, at least for being owned in real-time, if one were keeping track of the packets coming and going. If you’re whitelisting all your outbound and disallowing inbound, and if your decoupled passive nids is set up right you at least have the physical network layer covered.

If you’re targeted for tailored exploitation then you’d be considering a scif anyway if you really have something that important to hide. In a pinch, a faraday cage would probably be a good idea if you can set it up right. Don’t trust any devices that come in or out.

[oil25]

> The poster was concerned about video being hacked. This would be hard to hide, at least for being owned in real-time, if one were keeping track of the packets coming and going.

How would keeping track of packets detect a compromised web cam absolutely? An SSL-encrypted connection to Amazon servers, for example, could easily be used to exfiltrate pictures, audio and even low-bandwidth recordings while still blending in with typical, expected Web traffic.

[hackerrenews]

You’re right. One can’t assure that won’t happen unless you can ensure that every outgoing packet hasn’t been tampered with inside your computer. But that problem can also be tackled as part of a solution to reduce risk but not eliminate it.

How about simply using a new style of webcam that uses a physical shutter when active? Any reason I can’t go on amazon and buy one? Are these illegal?

Sadly you’d want analog push button switch on mics only. Latch as well ok if done securely.

You could jump through tons of hoops to minimize risk for the above but given the complexity of a typical computer, most won’t have a chance as you noted.

If you whitelisted all your activity and took the other precautions noted (and if you have clean hygiene) then it would be much more difficult for your strong adversary as your nation state would need to own your box remotely. And it is possible to defend against that sort of thing. Yes if you just have indiscriminate traffic coming and going, defense becomes astronomically more difficult.