> 1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.

Damn me, Scotland is going to be quite the culture shock for you.

I have had to train myself out of doing that when recording videos. The best I've managed is that I can do it sometimes, and most of the rest of the time I leave a long enough pause after that I can cleanly edit it off.

You know when you pass a nice classic car reeeeally slowly so you can get a good look? Aw yeah, don't see many of those, do you?

Can you do the same with mid-drives too?

One of the reasons I drive a 30-year-old Range Rover is that I have a complete copy of all the service documentation for it, in an easily-downloadable 500MB zip file which also includes manuals for a bunch of other models. I need roughly the same number of specialised tools to maintain and repair it as I do to repair and maintain my (perfectly ordinary non-electric) bike, although all the individual components are far heavier and considerably more likely to get oil all down my trousers.

Permaculture starts with things you can repair.

So, if you have NAT but a grossly misconfigured router, it might not be secure?

Quick question - do you think that "security by obscurity is not security"? And, as a follow-up, when you park your car do you ensure your laptop bag is out of sight, maybe locked away in the boot?

Because here's a mindblowing concept that'll change the way you see the world - you can have a door lock but it won't make you secure. You need to actually fit the lock to some sort of door.

If you have NAT, that doesn't tell you anything about whether the router is secure. All it tells you is that outbound connections made through the router will appear to come from the router's own IP; it doesn't tell you whether inbound connections will work or not.

Fast, too, isn't it? Must be on at least a 1Gbps connection.

Okay, I'm running tcpdump on my desktop. Send me some packets to 192.168.1.127 and I'll watch out for them.

How do they manage that?

If your public IP from your ISP is 12.13.14.15, and your internal block is 192.168.0.0/24, then your ISP can send a packet to 12.13.14.15 destined for 192.168.0.7, and without a firewall your router will happily forward it. An attacker who can convince intervening routers to send traffic destined for 192.168.0.7 to 12.13.14.15 (and these attacks do exist, particularly over UDP) can also do that.

You're using somewhat sloppy terminology that will confuse things. An IP packet can't be addressed both to 12.13.14.15 AND to 192.168.0.7.

The realistic attack here is that your ISP sends a packet with destination address 192.168.0.7 to the MAC of your router (the MAC that corresponds to 12.13.14.15). This is a realistic attack scenario if the device that your router connects directly to gets compromised (either by an attacker or by the ISP itself).

Getting a public route that would take packets destined for 192.168.0.7 to reach your router over the Internet is far more unlikely.

Okay, so not only do you have to create a bogus packet, you have to convince every piece of equipment in between you and the end user to collude with it, in the hopes that the final router is so woefully misconfigured as to act upon it?

The ISP is the primary threat vector here (do you trust yours? Along with their contractors and anyone who might have compromised them?). But like I said route-poisoning attacks do exist.

yeah but the likelihood of this is incredibly remote. It would shock me if ISPs didn't have alarms going off if RFC1918 space was suddenly routable within their BGP table.

Not to mention the return packet would be NAT'd so the attacker would have to deal with that complication.

You're missing the part where the ISP is the one doing it

Mm. Can you give an example of that happening in real life?

Google "Eagerbee"

Not finding anything saying that ISPs have anything to do with Eagerbee.

ISPs were the vector for Eagerbee. Don't trust your next-hop router.

There's nothing on Google about that.

The return packet wouldn't be NATed, because stateful NAT tracks connections and only applies NAT to packets that belong to outbound connections.

Arguing over how likely this is is missing the point. If it can happen at all when you're running NAT, then it should be clear that NAT isn't providing security.

“if it protects 99.999% of attackers from reaching you but not this one specific attacker in this one case of misconfiguration, it’s not providing security”…

Dude, that’s a really shitty take and this is why people that do care about security end up ignoring advice from anyone who thinks this way.

You’re in the camp of “don’t use condoms because they can break”.

NAT doesn't protect you from 99.999% of attackers though. It doesn't do anything to incoming connections, so it actually protects you from 0% of attackers.

Yes, I trust everyone who works at it, mostly because I know where they live.

Or more likely, network engineers who’ve been subpoenaed to collect the information?

Your scenario is plausible for high value targets. Like, what country wouldn’t want to have a friendly tech working at the ISP most politicians use in DC? That doesn’t seem improbable.

For the regular Joe Schmoe, I’d be more concerned with court-ordered monitoring.

Ah, that sounds like an American problem. If you're in the US, you're living in a hostile surveillance state that makes North Korea look like a hippy commune.

Oh yes, subpoenas are a uniquely American problem. eyeroll.png

I know all the people that work at it.

No, the router will only forward it with specific implementations that don’t isolate routing tables between the external and internal. Or an easier approach is just a stateless ACL on the external interface. Neither are a stateful firewall.

> as long as you’re putting forth even a little effort to follow etiquette and you’re not causing problems for others or making a nuisance of yourself, nobody pays you any mind regardless of orientation

A bit like Glasgow then.

> Have we been having these more recently?

Yes, for suitable values of "recently".

> And I also never remember seeing Aurora at my latitudes.

How old are you?

If you're younger than say your mid-40s you probably won't remember the early 80s, which is the last time we had a solar maximum that really came to anything.

Solar activity rises and falls on an 11-year cycle, and right now we're experiencing quite a peak. The previous three, peaking in 2014, 2011, and 1989 were a bit of a bust.

There was a massive peak in 1979 and I can remember my dad showing me the aurora when I was about six or seven - it seemed to be present most nights over the winter. That was also around the time of the CB Radio craze, where atmospheric conditions were such that you could use "skip" - bouncing radio signals off the highly-charged ionosphere - to talk to people hundreds of miles away as if they were just down the road, even on the comparatively high frequencies that CB used. There was a bit of a peak in the late 80s, and some good RF propagation too, as well as some incredible aurora - although the big one I remember was in about the end of 1991, early 1992.

We had absolutely blistering hot summers followed by really cold and snowy winters, too, kind of like we're having at the moment.

If the solar cycles have a longer repeating cycle of intensity on the scale of a hundred years or so (and it looks a bit like they do) then the next solar maximum in about 2036 is going to be even bigger.