[pXMzR2A]

> I'm not hiding anything dubious - if I was I'd install a firewall box asap.

This person does not do online banking, does not have a webcam or mic installed device such as a laptop, and does not have an email account.

The only reason I don't have a firewall box behind my residential router is because I don't have money to buy extra hardware.

[e12e]

To be fair, I know that firewalls have come to be considered "good security practice" -- but I've always been more comfortable to only expose programs that are supposed to talk to the Internet. Any recent version of Windows (say 8.1) comes with a firewall enabled (and that's needed, as windows still is a bit chatty with various smb protocols etc... just don't enable filesharing on your lan, if it's not protected from the Internet...). Don't know about OS X -- and for a Linux box, one can just make sure that everything is either off, listens to loopback -- or is supposed to be open.

Now, in many settings one do need a "LAN" in the sense of a firewalled playground for hopeless consumer devices, such as printers, ip web cameras etc.

Perhaps the biggest reason to have a firewall, is if you're running windows -- as unpatched windows machines live dangerously on the open Internet. And you'll be unpatched from initial install until you've patched up...

AFAIK there's been a while since any major Linux distro shipped with remote (no-action needed, like browsing) vulnerability out of the box.

As for "does not have an email account" -- I generally assume that anyone with half a brain can patch into the upstream DSLAM of my DSL line, so anything between me, and everywhere else is suspect. Which is of course why I protect my IMAP/SMTP with TLS.

[edit: consider people that use a laptop outside of the home -- they'll probably have to use dubious wireless links. It's more convenient to assume that the trust-boundary between you and the internet is at the local ethernet port/wireless card -- than anywhere else. That way you can have one set of "OpSec" that works (or not) wherever you are -- rather than fighting an uphill battle of situation awareness...]

[TheSoftwareGuy]

>"This person does not do online banking, does not have a webcam or mic installed device such as a laptop, and does not have an email account."

I don't know a ton about networking (probably not too much in fact) but doesn't HTTPS fix most of this? And if your laptop grants access to its mic/webcam to any packet that manages to make it past your router, I think you have a bigger problem.

[wtallis]

Most devices trust their router a lot. HTTPS on its own doesn't protect you from a malicious router. Strict Transport Security and Certificate Pinning are also necessary for HTTPS to protect you against an evil router, and even then it does nothing about all the unsecured and weakly secured traffic and devices on your LAN and all the opportunities that come from being able to lie about DNS records. If you can't trust your router, you really just have to initiate a secure VPN connection to a network that isn't out to get you.

[TheSoftwareGuy]

>If you can't trust your router, you really just have to initiate a secure VPN connection to a network that isn't out to get you.

:(. that's really frustrating. So you really need to vpn to a secure network anytime you use free Wi-Fi?

[wtallis]

Yeah. With the right security software on your device and the right options on the server you could theoretically initiate a properly secured connection with some web sites, requiring DNSSEC, STS, etc., but for general purpose use you need the VPN.

[Havoc]

Email and banking has two factor authentication and runs over SSL so it would have to be a very determined hacker to get to my money.

Its not perfect, but as I'm pretty comfortable with the risk balance. Things like all these android apps containing god knows what make me way more jittery (See google's recent cleanup).