Hacker News new | ask | show | jobs
by _8j50 1525 days ago
As a default, you should not consider your gateway network device in your trusted zone. This is one of many reasons why you should VPN (including personal, commercial, Tor, whatever your cup of tea) all traffic elsewhere.

You might think "that only moves the attack surface" , you are both right and wrong. Technically it is moved but you eliminate LAN based, wireless (think wpa) and untrusted network devices from the equation and reduce them to one attack surface. Not only that, the threat actors most relevant to most people's threat models are not able to operate or operate with reduced capability to the most part when the attack surface is not a home network/device managed by individuals (and crappy vendors,isps,etc...).

It can pay for itself, don't worry about network device security, just get the cheapest yet fastest stack amd VPN through it.
1 comments
_8j50 1524 days ago
I forgot, VPNs are unpopular on HN because? Someone popular said so? Lol. This includes wireguard to your vps too if that helps. Anything but nude networking as I call it.
link
salawat 1524 days ago
It's unpopular from my standpoint because it "necessitates/assumes the trustworthyness of an external provider of compute service". It being considered a default implies you waive 4th Amendment protections.

Whereas securing your own network keeps them intact within your infrastructure.

Cloud is not always the answer. Learning to network and compute, is.

link
jfalcon 1524 days ago
>It's unpopular from my standpoint because it "necessitates/assumes the trustworthyness of an external provider of compute service". It being considered a default implies you waive 4th Amendment protections.

This is why we should learn from what Ed Snowden presented as just about all of the data gathered by NSA and their contemporaries utilized the concept that encryption and security should only exist at the edge and they were capturing network traffic inter-network and intra-DC.

There were reasons why companies like Google took his whistleblowing seriously and changed their infrastructure accordingly because none of them feel safe leaving their "secret sausage recipe" exposed while still technically out of band from the customer paths.

link
_8j50 1524 days ago
Not at all, the external provider (cloud/tor) is still untrusted, I never implied that. It is a risk reduction strategy. If you care about security you must define threat model and risk boundaries.
link