Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If loving linux is wrong, I dont wanna be right. -- Topic for #LinuxGER


computers / comp.os.linux.misc / Ok - Assume Ransomware - How to find THE Box Responsible ?

SubjectAuthor
* Ok - Assume Ransomware - How to find THE Box Responsible ?Margin
+* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
|`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Margin
+* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Anass Luca
|+* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
||+* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Real Bev
|||`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Marc Haber
||`* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
|| `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
||  `- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
|`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Margin
`* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?John-Paul Stewart
 +* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 |`* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Marc Haber
 | +* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Tauno Voipio
 | |+* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | ||`* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 | || `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | ||  `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 | ||   +* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Marc Haber
 | ||   |+- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 | ||   |`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | ||   `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | ||    `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 | ||     `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Stéphane CARPENTIER
 | ||      `- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 | |`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Jim Jackson
 | +* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | |+* Ethernet switching (was: Ok - Assume Ransomware - How to find THE BoxPascal Hambourg
 | ||+* Re: Ethernet switchingThe Natural Philosopher
 | |||+* Re: Ethernet switchingMarc Haber
 | ||||+* Re: Ethernet switchingDan Espen
 | |||||+* Re: Ethernet switchingThe Natural Philosopher
 | ||||||`* Re: Ethernet switchingDan Espen
 | |||||| `* Re: Ethernet switchingMarc Haber
 | ||||||  `* Re: Ethernet switchingDan Espen
 | ||||||   `* Re: Ethernet switchingStéphane CARPENTIER
 | ||||||    `* Re: Ethernet switchingDan Espen
 | ||||||     +* Re: Ethernet switchingStéphane CARPENTIER
 | ||||||     |`* Re: Ethernet switchingDan Espen
 | ||||||     | `- Re: Ethernet switchingStéphane CARPENTIER
 | ||||||     `* Re: Ethernet switchingTauno Voipio
 | ||||||      `* Re: Ethernet switchingDavid W. Hodgins
 | ||||||       `* Re: Ethernet switchingTauno Voipio
 | ||||||        `- Re: Ethernet switchingDavid W. Hodgins
 | |||||`* Re: Ethernet switchingMarc Haber
 | ||||| +* Re: Ethernet switchingPascal Hambourg
 | ||||| |+- Re: Ethernet switchingMarc Haber
 | ||||| |`* Re: Ethernet switchingThe Natural Philosopher
 | ||||| | `- Re: Ethernet switchingPascal Hambourg
 | ||||| `- Re: Ethernet switchingThe Natural Philosopher
 | ||||`- Re: Ethernet switchingThe Natural Philosopher
 | |||`* Re: Ethernet switchingStéphane CARPENTIER
 | ||| `- Re: Ethernet switchingThe Natural Philosopher
 | ||`- Re: Ethernet switching (was: Ok - Assume Ransomware - How to find THEPascal Hambourg
 | |+* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Tauno Voipio
 | ||`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | |`* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Margin
 | | `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 | |  `- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Margin
 | `* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Andreas Kohlbach
 |  +* Re: Ok - Assume Ransomware - How to find THE Box Responsible ?John-Paul Stewart
 |  |`- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?The Natural Philosopher
 |  `- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Marc Haber
 `- Re: Ok - Assume Ransomware - How to find THE Box Responsible ?Margin

Pages:123
Ok - Assume Ransomware - How to find THE Box Responsible ?

<6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5213&group=comp.os.linux.misc#5213

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!feeder1.feed.usenet.farm!feed.usenet.farm!tr2.eu1.usenetexpress.com!feeder.usenetexpress.com!tr3.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!buffer1.nntp.dca1.giganews.com!nntp.earthlink.com!news.earthlink.com.POSTED!not-for-mail
NNTP-Posting-Date: Thu, 10 Jun 2021 23:22:21 -0500
From: M287v1.c...@nowhere (Margin)
Newsgroups: comp.os.linux.misc
Subject: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Fri, 11 Jun 2021 00:22:21 -0400
Message-ID: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
X-Newsreader: Forte Agent 2.0/32.652
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 23
X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 98.77.165.193
X-Trace: sv3-2ngY1ml53vu6CCePqXdXTOQOnFrl0fZJudCX0ke4/G6Az6k9NfSKHUcH1bjZcPJMO7TL35MQDemKPYx!epPpnNeOpb6ZOCJgKe72GcPvInKy5C01abAwjh5UPwDnlLvt63k3LnttePdYP7P/bcVsL/L1oZqr!xizDxOzxgBQ39l8=
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 1885
 by: Margin - Fri, 11 Jun 2021 04:22 UTC

Say you have an office with 100, or 500, PCs - mostly Windows.

ONE of them clicks the fatal e-mail and unloads an encryption
virus against every available local/network drive.

How best to find THE offender, so it can be nuked, sterilized
and re-installed from scratch ?

In theory, something like tcpdump could record CIFS traffic
and keep logs for a day or so (data volume can be HIGH).
Alas now that SWITCHES have replaced HUBS, no given
machine sees ALL the network traffic. And no, you aren't
going to buy a gigabit or especially 10/gb hub these days.

I have a theory that a software-based firewall/router - first
thing after the cable modem - MIGHT be able to see all of
the traffic all of the time ... but I'll have to test this in several
ways.

The offending box will be the one generating huge volumes
of SMB/CIFS traffic to the NAS's in the last hour before
everything crashes.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<87eed85nvp.fsf@usenet.ankman.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5214&group=comp.os.linux.misc#5214

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ank...@spamfence.net (Andreas Kohlbach)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Fri, 11 Jun 2021 13:09:46 -0400
Organization: https://news-commentaries.blogspot.com/
Lines: 44
Message-ID: <87eed85nvp.fsf@usenet.ankman.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="c82930c808a283c753de851bc515a9e9";
logging-data="10521"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18zTv2il1uxiVrKMm8sRMPQ"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:YwEEHO/w3jwYMOK/jGmiKf7+cHE=
sha1:xuCoYgUinPa/jde8b7rorQMU9D8=
X-No-Archive: Yes
X-Face: '#R~-oJz-_!iXhczPJ;=w1(`5-uQ2$0qHB7KKDV,]VoAC!P?swaa#m|eB<DkOt*XH=~9C[g S^w)b,)1q,{P\7Z3H,N(^m.YKuYM//B{X:PvbDk.|:g:$wVr*3*)[K6F+k\z-s32+oB]YJPy11wuGGz'bQAk~1.b1[;M{^A2@bboIENBB:Wd:<Fm~r7OuiJA1g}7KC-T'>Du+
X-Face-What-Is-It: Capture Bee from Galaga
 by: Andreas Kohlbach - Fri, 11 Jun 2021 17:09 UTC

On Fri, 11 Jun 2021 00:22:21 -0400, Margin <M287v1.cloud> wrote:
>
> Say you have an office with 100, or 500, PCs - mostly Windows.

Congratulations!

> ONE of them clicks the fatal e-mail and unloads an encryption
> virus against every available local/network drive.
>
> How best to find THE offender, so it can be nuked, sterilized
> and re-installed from scratch ?
>
> In theory, something like tcpdump could record CIFS traffic
> and keep logs for a day or so (data volume can be HIGH).
> Alas now that SWITCHES have replaced HUBS, no given
> machine sees ALL the network traffic. And no, you aren't
> going to buy a gigabit or especially 10/gb hub these days.

Assuming access to file's metadata I'd probably go for the date stamps,
further assuming the ransomware isn't manipulating them itself
(i.e. setting all of them to 1.1.1980 or something). And that all
computers have a synchronous time, more or less accurate.

You need to know at least one file existing on every computer which was
encrypted and check their date stamp on every computer in the
network. The one with the oldest should be the patient 0.

> I have a theory that a software-based firewall/router - first
> thing after the cable modem - MIGHT be able to see all of
> the traffic all of the time ... but I'll have to test this in several
> ways.
>
> The offending box will be the one generating huge volumes
> of SMB/CIFS traffic to the NAS's in the last hour before
> everything crashes.

For my knowledge ransomware works like any (also human) virus or zombie
outbreak: every infected will infect others without the need of patient 0.

It'll be pointless to find patient 0.
--
Andreas

PGP fingerprint 952B0A9F12C2FD6C9F7E68DAA9C2EA89D1A370E0

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa06es$vdv$1@gioia.aioe.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5215&group=comp.os.linux.misc#5215

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!aioe.org!nzqwpW7fgmak1IV6pg8vew.user.gioia.aioe.org.POSTED!not-for-mail
From: AL...@invalid.invalid (Anass Luca)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Fri, 11 Jun 2021 17:27:56 +0000 (UTC)
Organization: Aioe.org NNTP Server
Lines: 6
Message-ID: <sa06es$vdv$1@gioia.aioe.org>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
NNTP-Posting-Host: nzqwpW7fgmak1IV6pg8vew.user.gioia.aioe.org
X-Complaints-To: abuse@aioe.org
X-Notice: Filtered by postfilter v. 0.9.2
 by: Anass Luca - Fri, 11 Jun 2021 17:27 UTC

Margin <M287v1.cloud> wrote:
> Say you have an office with 100, or 500, PCs - mostly Windows.

If this is true, then the remainder of your post should have gone to a
windows newsgroup.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<87o8cc3yys.fsf@usenet.ankman.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5216&group=comp.os.linux.misc#5216

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ank...@spamfence.net (Andreas Kohlbach)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Fri, 11 Jun 2021 16:53:15 -0400
Organization: https://news-commentaries.blogspot.com/
Lines: 13
Message-ID: <87o8cc3yys.fsf@usenet.ankman.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<sa06es$vdv$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="c82930c808a283c753de851bc515a9e9";
logging-data="878"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/6ocfxKAXgpIkSSvTI+zVC"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:NkWurAzxW7URQ7A/L0wnDO2Ecwg=
sha1:o+mYrtVK1nMFyR5k1GDL8ZmZzU8=
X-No-Archive: Yes
X-Face: '#R~-oJz-_!iXhczPJ;=w1(`5-uQ2$0qHB7KKDV,]VoAC!P?swaa#m|eB<DkOt*XH=~9C[g S^w)b,)1q,{P\7Z3H,N(^m.YKuYM//B{X:PvbDk.|:g:$wVr*3*)[K6F+k\z-s32+oB]YJPy11wuGGz'bQAk~1.b1[;M{^A2@bboIENBB:Wd:<Fm~r7OuiJA1g}7KC-T'>Du+
X-Face-What-Is-It: Capture Bee from Galaga
 by: Andreas Kohlbach - Fri, 11 Jun 2021 20:53 UTC

On Fri, 11 Jun 2021 17:27:56 +0000 (UTC), Anass Luca wrote:
>
> Margin <M287v1.cloud> wrote:
>> Say you have an office with 100, or 500, PCs - mostly Windows.
>
> If this is true, then the remainder of your post should have gone to a
> windows newsgroup.

I suppose he wants to examine the situation from a Linux computer, which
is likely not to be impacted by ransomware. Doing this from a Windows
computer will likely backfire.
--
Andreas

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa0o66$78p$2@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5217&group=comp.os.linux.misc#5217

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: bashley...@gmail.com (The Real Bev)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Fri, 11 Jun 2021 15:30:30 -0700
Organization: None, as usual
Lines: 21
Message-ID: <sa0o66$78p$2@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<sa06es$vdv$1@gioia.aioe.org> <87o8cc3yys.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Jun 2021 22:30:30 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="ebc25d8b017a07c0aedcdb3869a301b3";
logging-data="7449"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/MNWiqDj1UO0lruiR6nIU8jzBKXr5fWBk="
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:38.0) Gecko/20100101
Firefox/38.0 Thunderbird/38.2.0
Cancel-Lock: sha1:vd1qVDX9lx20NNbTFMaXlsfx0UI=
In-Reply-To: <87o8cc3yys.fsf@usenet.ankman.de>
 by: The Real Bev - Fri, 11 Jun 2021 22:30 UTC

On 06/11/2021 01:53 PM, Andreas Kohlbach wrote:
> On Fri, 11 Jun 2021 17:27:56 +0000 (UTC), Anass Luca wrote:
>>
>> Margin <M287v1.cloud> wrote:
>>> Say you have an office with 100, or 500, PCs - mostly Windows.
>>
>> If this is true, then the remainder of your post should have gone to a
>> windows newsgroup.
>
> I suppose he wants to examine the situation from a Linux computer, which
> is likely not to be impacted by ransomware. Doing this from a Windows
> computer will likely backfire.

Is that actually true? They only bother using ransomeware to attack
windows computers? Somebody said they only targeted machines running
old windows versions which still have a lot of insecurity...

--
Cheers, Bev
"If you expect to score points by whining, join a European soccer team."
--Demotivators poster

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<iiicpdFg188U1@mid.individual.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5218&group=comp.os.linux.misc#5218

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: jpstew...@personalprojects.net (John-Paul Stewart)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Fri, 11 Jun 2021 20:17:48 -0400
Lines: 22
Message-ID: <iiicpdFg188U1@mid.individual.net>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net bkKTb6fWzm+xr56IJlSxggxxVJ1KTrw1eeqYLFhl5umcgGZEeN
Cancel-Lock: sha1:BTAAHmStKhmZioY/ewJYxVwJD3U=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
In-Reply-To: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
Content-Language: en-CA
 by: John-Paul Stewart - Sat, 12 Jun 2021 00:17 UTC

On 2021-06-11 12:22 a.m., Margin wrote:
>
> In theory, something like tcpdump could record CIFS traffic
> and keep logs for a day or so (data volume can be HIGH).
> Alas now that SWITCHES have replaced HUBS, no given
> machine sees ALL the network traffic. And no, you aren't
> going to buy a gigabit or especially 10/gb hub these days.
>
> I have a theory that a software-based firewall/router - first
> thing after the cable modem - MIGHT be able to see all of
> the traffic all of the time ... but I'll have to test this in several
> ways.

The firewall/router will only see the traffic going through it, in to or
out of the LAN. It won't see any traffic that is entirely internal to
the LAN.

However, most managed switches can be configured for "port mirroring" to
send duplicates of all packets to a specific port on that switch for the
sort of monitoring you're considering. Read up on "port mirroring" and
see if your switch supports it.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<87fsxn4laz.fsf@usenet.ankman.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5219&group=comp.os.linux.misc#5219

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ank...@spamfence.net (Andreas Kohlbach)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 03:03:00 -0400
Organization: https://news-commentaries.blogspot.com/
Lines: 31
Message-ID: <87fsxn4laz.fsf@usenet.ankman.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="bd400a0c745280c2d62eb96339ff6780";
logging-data="30332"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18adft5sAGMJ7RaNiiEnI/Y"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:XFAt1sPlqFU0WvaOoj7J9hW8BWE=
sha1:t2UnrRuFDU/KtVSJRdv9eyYpyqA=
X-No-Archive: Yes
X-Face: '#R~-oJz-_!iXhczPJ;=w1(`5-uQ2$0qHB7KKDV,]VoAC!P?swaa#m|eB<DkOt*XH=~9C[g S^w)b,)1q,{P\7Z3H,N(^m.YKuYM//B{X:PvbDk.|:g:$wVr*3*)[K6F+k\z-s32+oB]YJPy11wuGGz'bQAk~1.b1[;M{^A2@bboIENBB:Wd:<Fm~r7OuiJA1g}7KC-T'>Du+
X-Face-What-Is-It: Capture Bee from Galaga
 by: Andreas Kohlbach - Sat, 12 Jun 2021 07:03 UTC

On Fri, 11 Jun 2021 20:17:48 -0400, John-Paul Stewart wrote:
>
> On 2021-06-11 12:22 a.m., Margin wrote:
>>
>> In theory, something like tcpdump could record CIFS traffic
>> and keep logs for a day or so (data volume can be HIGH).
>> Alas now that SWITCHES have replaced HUBS, no given
>> machine sees ALL the network traffic. And no, you aren't
>> going to buy a gigabit or especially 10/gb hub these days.
>>
>> I have a theory that a software-based firewall/router - first
>> thing after the cable modem - MIGHT be able to see all of
>> the traffic all of the time ... but I'll have to test this in several
>> ways.
>
> The firewall/router will only see the traffic going through it, in to or
> out of the LAN. It won't see any traffic that is entirely internal to
> the LAN.

Depends on the defaults.

> However, most managed switches can be configured for "port mirroring" to
> send duplicates of all packets to a specific port on that switch for the
> sort of monitoring you're considering. Read up on "port mirroring" and
> see if your switch supports it.

I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
being 192.168.0.1, and they all can "see" each other. There was no need
for any "port mirroring" or other configurations after I received it.
--
Andreas

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa1r90$kpn$4@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5220&group=comp.os.linux.misc#5220

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 09:29:20 +0100
Organization: A little, after lunch
Lines: 31
Message-ID: <sa1r90$kpn$4@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<sa06es$vdv$1@gioia.aioe.org> <87o8cc3yys.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 08:29:20 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="21303"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+4Ww8r1LIt1+2VwfNm1WTtc+Ozsnv0yRc="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:qrjdKvMjiwmfrne4hdcd4EpEQCw=
In-Reply-To: <87o8cc3yys.fsf@usenet.ankman.de>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 08:29 UTC

On 11/06/2021 21:53, Andreas Kohlbach wrote:
> On Fri, 11 Jun 2021 17:27:56 +0000 (UTC), Anass Luca wrote:
>>
>> Margin <M287v1.cloud> wrote:
>>> Say you have an office with 100, or 500, PCs - mostly Windows.
>>
>> If this is true, then the remainder of your post should have gone to a
>> windows newsgroup.
>
> I suppose he wants to examine the situation from a Linux computer, which
> is likely not to be impacted by ransomware. Doing this from a Windows
> computer will likely backfire.
>
It is perfectly possible to have a SAMBA server whose entire SMB
exported filesystem is now trash

The remedy of course is a second NON SMB machine that backs the other
one up via rsync or even NFS, so that you have tow or three timed backups

And to remove hard disks from the windows PCs. To force them to store
everything on the server

--
Outside of a dog, a book is a man's best friend. Inside of a dog it's
too dark to read.

Groucho Marx

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2471$2p5$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5221&group=comp.os.linux.misc#5221

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a8d0.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 13:01:53 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <sa2471$2p5$1@news1.tnib.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com> <sa06es$vdv$1@gioia.aioe.org> <87o8cc3yys.fsf@usenet.ankman.de> <sa0o66$78p$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 11:01:53 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a8d0.versanet.de:92.116.168.208";
logging-data="2853"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sat, 12 Jun 2021 11:01 UTC

The Real Bev <bashley101@gmail.com> wrote:
>On 06/11/2021 01:53 PM, Andreas Kohlbach wrote:
>> On Fri, 11 Jun 2021 17:27:56 +0000 (UTC), Anass Luca wrote:
>>>
>>> Margin <M287v1.cloud> wrote:
>>>> Say you have an office with 100, or 500, PCs - mostly Windows.
>>>
>>> If this is true, then the remainder of your post should have gone to a
>>> windows newsgroup.
>>
>> I suppose he wants to examine the situation from a Linux computer, which
>> is likely not to be impacted by ransomware. Doing this from a Windows
>> computer will likely backfire.
>
>Is that actually true? They only bother using ransomeware to attack
>windows computers? Somebody said they only targeted machines running
>old windows versions which still have a lot of insecurity...

Most serious attacks use a Trojan to get in the first place, then
Spyware to get hold of passwords, a Backdoor to get back in, and then
wait until an Administrator delivers her password. From there, things
can continue OS independently. Single Sign On - once in, in
everywhere.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa249m$2q5$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5222&group=comp.os.linux.misc#5222

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a8d0.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 13:03:18 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <sa249m$2q5$1@news1.tnib.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com> <iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 11:03:18 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a8d0.versanet.de:92.116.168.208";
logging-data="2885"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sat, 12 Jun 2021 11:03 UTC

Andreas Kohlbach <ank@spamfence.net> wrote:
>On Fri, 11 Jun 2021 20:17:48 -0400, John-Paul Stewart wrote:
>> The firewall/router will only see the traffic going through it, in to or
>> out of the LAN. It won't see any traffic that is entirely internal to
>> the LAN.
>
>Depends on the defaults.
>
>> However, most managed switches can be configured for "port mirroring" to
>> send duplicates of all packets to a specific port on that switch for the
>> sort of monitoring you're considering. Read up on "port mirroring" and
>> see if your switch supports it.
>
>I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>being 192.168.0.1, and they all can "see" each other. There was no need
>for any "port mirroring" or other configurations after I received it.

Usually, on a properly functioning switch, Client B cannot "see" the
traffic that occurs between Clients A and C despite being able to both
communicate with A and C.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa25s9$224$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5223&group=comp.os.linux.misc#5223

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tauno.vo...@notused.fi.invalid (Tauno Voipio)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 14:30:15 +0300
Organization: A noiseless patient Spider
Lines: 34
Message-ID: <sa25s9$224$1@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 11:30:17 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="96a38f2e062ddce9508145dad1ef97a8";
logging-data="2116"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+0IxNx/dLyRgpzab79ggON/VrKX28/ilY="
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
Gecko/20100101 Thunderbird/78.11.0
Cancel-Lock: sha1:4pNeNWYVVFLMsf3l/px4h8uLqf4=
In-Reply-To: <sa249m$2q5$1@news1.tnib.de>
Content-Language: en-GB
 by: Tauno Voipio - Sat, 12 Jun 2021 11:30 UTC

On 12.6.21 14.03, Marc Haber wrote:
> Andreas Kohlbach <ank@spamfence.net> wrote:
>> On Fri, 11 Jun 2021 20:17:48 -0400, John-Paul Stewart wrote:
>>> The firewall/router will only see the traffic going through it, in to or
>>> out of the LAN. It won't see any traffic that is entirely internal to
>>> the LAN.
>>
>> Depends on the defaults.
>>
>>> However, most managed switches can be configured for "port mirroring" to
>>> send duplicates of all packets to a specific port on that switch for the
>>> sort of monitoring you're considering. Read up on "port mirroring" and
>>> see if your switch supports it.
>>
>> I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>> being 192.168.0.1, and they all can "see" each other. There was no need
>> for any "port mirroring" or other configurations after I received it.
>
> Usually, on a properly functioning switch, Client B cannot "see" the
> traffic that occurs between Clients A and C despite being able to both
> communicate with A and C.
>
> Greetings
> Marc

WiFi is a different beast: It is more like the original
yellow coax cable Ethernet, where everybody heard everyting
going on the network.

--

-TV

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2951$onf$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5224&group=comp.os.linux.misc#5224

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 13:26:08 +0100
Organization: A little, after lunch
Lines: 51
Message-ID: <sa2951$onf$1@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 12:26:09 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="25327"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ed9iJn6t52/LxKp7NRMOK1sJpPUj66ZE="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:nV4CSf7WEx/QbjLSeQG9WxrowPo=
In-Reply-To: <sa249m$2q5$1@news1.tnib.de>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 12:26 UTC

On 12/06/2021 12:03, Marc Haber wrote:
>> I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>> being 192.168.0.1, and they all can "see" each other. There was no need
>> for any "port mirroring" or other configurations after I received it.
> Usually, on a properly functioning switch, Client B cannot "see" the
> traffic that occurs between Clients A and C despite being able to both
> communicate with A and C.

It all depends what you mean by 'see'...

Switches will only relay packets to MAC addresses known to be on a given
segment.

Initial discovery is done, on an IP network, by means of an Ethernet
'all stations' broadcast...of the desired IP address. The desired IP
address responds, on its own MAC address, and the switch then 'knows'
where it is.

Two computers on a switch may 'see' each other, but that's only because
they have stored the same relationship between IP address and MAC
address, in their own 'ARP' tables. So they 'know' what MAC address to
send an IP address on. And the switch 'knows' which segment the MAC
address is on....

A google of Address Resolution Protocol and Ethernet Broadcast should
make it all clear.

What port mirroring does is stop the switch from being selective about
which port it sends an MAC address directed packet down, and send it to
other or all ports.

If you have a linux or *nix machine, tcpdump enables you to see that all
traffic on a given Ethernet segments is *apart from Ethernet broadcasts*
limited to that machine alone.

The move from coaxial ethernet to switches destroyed the hackers dream
of being able to see in clear everything that was happening on a network.

Wifi largely reinstated it :-)
Wifi acts like a coaxial network.

It is encrypted but...if you capture the encryption handshakes, it can
be decrypted...

--
All political activity makes complete sense once the proposition that
all government is basically a self-legalising protection racket, is
fully understood.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2c4r$c2p$2@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5225&group=comp.os.linux.misc#5225

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 14:17:15 +0100
Organization: A little, after lunch
Lines: 41
Message-ID: <sa2c4r$c2p$2@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <sa25s9$224$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 12 Jun 2021 13:17:15 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="12377"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18A9nXCblRCcY38sFM0pk09MrAxdiLF5ro="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:d+TYfr16BOWtqOdoCiPerD8gSNM=
In-Reply-To: <sa25s9$224$1@dont-email.me>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 13:17 UTC

On 12/06/2021 12:30, Tauno Voipio wrote:
> On 12.6.21 14.03, Marc Haber wrote:
>> Andreas Kohlbach <ank@spamfence.net> wrote:
>>> On Fri, 11 Jun 2021 20:17:48 -0400, John-Paul Stewart wrote:
>>>> The firewall/router will only see the traffic going through it, in
>>>> to or
>>>> out of the LAN.  It won't see any traffic that is entirely internal to
>>>> the LAN.
>>>
>>> Depends on the defaults.
>>>
>>>> However, most managed switches can be configured for "port
>>>> mirroring" to
>>>> send duplicates of all packets to a specific port on that switch for
>>>> the
>>>> sort of monitoring you're considering.  Read up on "port mirroring" and
>>>> see if your switch supports it.
>>>
>>> I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>>> being 192.168.0.1, and they all can "see" each other. There was no need
>>> for any "port mirroring" or other configurations after I received it.
>>
>> Usually, on a properly functioning switch, Client B cannot "see" the
>> traffic that occurs between Clients A and C despite being able to both
>> communicate with A and C.
>>
>> Greetings
>> Marc
>
>
> WiFi is a different beast: It is more like the original
> yellow coax cable Ethernet, where everybody heard everyting
> going on the network.
>
Up to a point. Traffic is enrcypted on WPA/WPA2.

--
The urge to save humanity is almost always a false front for the urge to
rule.
– H. L. Mencken, American journalist, 1880-1956

Ethernet switching (was: Ok - Assume Ransomware - How to find THE Box Responsible ?)

<60c4beb0$0$3706$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5226&group=comp.os.linux.misc#5226

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.nntp4.net!news.gegeweb.eu!gegeweb.org!usenet-fr.net!feeder1-2.proxad.net!proxad.net!feeder1-1.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Ethernet switching (was: Ok - Assume Ransomware - How to find THE Box
Responsible ?)
Newsgroups: comp.os.linux.misc
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <sa2951$onf$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sat, 12 Jun 2021 16:03:28 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <sa2951$onf$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 43
Message-ID: <60c4beb0$0$3706$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 12 Jun 2021 16:03:28 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1623506608 news-1.free.fr 3706 213.41.155.166:36838
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sat, 12 Jun 2021 14:03 UTC

Le 12/06/2021 à 14:26, The Natural Philosopher a écrit :
> On 12/06/2021 12:03, Marc Haber wrote:
>> Usually, on a properly functioning switch, Client B cannot "see" the
>> traffic that occurs between Clients A and C despite being able to both
>> communicate with A and C.
>
> It all depends what you mean by 'see'...

See = receive.

> Switches will only relay packets to MAC addresses known to be on a given
> segment.

No.

> Initial discovery is done, on an IP network, by means of an Ethernet
> 'all stations' broadcast.

No.

> Two computers on a switch may 'see' each other, but that's only because
> they have stored the same relationship between IP address and MAC
> address, in their own 'ARP' tables.

No.

> A google of Address Resolution Protocol and Ethernet Broadcast should
> make it all clear.

ARP has nothing to do with a switch operation. ARP is specific to IPv4
operation.

> What port mirroring does is stop the switch from being selective about
> which port it sends an MAC address directed packet down, and send it to
> other or all ports.

No.

> If you have a linux or *nix machine, tcpdump enables you to see that all
> traffic on a given Ethernet segments is *apart from Ethernet broadcasts*
> limited to that machine alone.

No.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<87a6nv3xy4.fsf@usenet.ankman.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5227&group=comp.os.linux.misc#5227

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ank...@spamfence.net (Andreas Kohlbach)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 11:27:31 -0400
Organization: https://news-commentaries.blogspot.com/
Lines: 17
Message-ID: <87a6nv3xy4.fsf@usenet.ankman.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="bd400a0c745280c2d62eb96339ff6780";
logging-data="31411"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18XdqVHrLuV9wLKoK8b5nX2"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:LIdAeEdncU9/BHLmm4oUhsE1M1w=
sha1:qy6He/qJMGZgsOVZNGoC8gqin3M=
X-No-Archive: Yes
X-Face: '#R~-oJz-_!iXhczPJ;=w1(`5-uQ2$0qHB7KKDV,]VoAC!P?swaa#m|eB<DkOt*XH=~9C[g S^w)b,)1q,{P\7Z3H,N(^m.YKuYM//B{X:PvbDk.|:g:$wVr*3*)[K6F+k\z-s32+oB]YJPy11wuGGz'bQAk~1.b1[;M{^A2@bboIENBB:Wd:<Fm~r7OuiJA1g}7KC-T'>Du+
X-Face-What-Is-It: Capture Bee from Galaga
 by: Andreas Kohlbach - Sat, 12 Jun 2021 15:27 UTC

On Sat, 12 Jun 2021 13:03:18 +0200, Marc Haber wrote:
>
> Andreas Kohlbach <ank@spamfence.net> wrote:
>>
>>I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>>being 192.168.0.1, and they all can "see" each other. There was no need
>>for any "port mirroring" or other configurations after I received it.
>
> Usually, on a properly functioning switch, Client B cannot "see" the
> traffic that occurs between Clients A and C despite being able to both
> communicate with A and C.

I agree. But on this "cable-modem-wifi-router" (and on all others I
encountered before) "seeing each other" is default. I could change the
settings, but want clients to be able to exchange data.
--
Andreas

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<877diz3xt4.fsf@usenet.ankman.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5228&group=comp.os.linux.misc#5228

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ank...@spamfence.net (Andreas Kohlbach)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 11:30:31 -0400
Organization: https://news-commentaries.blogspot.com/
Lines: 22
Message-ID: <877diz3xt4.fsf@usenet.ankman.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <sa25s9$224$1@dont-email.me>
<sa2c4r$c2p$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="bd400a0c745280c2d62eb96339ff6780";
logging-data="31411"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX190TWn945+Bb8ipq8/B9T9g"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:yEvA21eJd9caDtLvl0+mdOlhOkc=
sha1:e5S8DW5IdUqUW6Dx0X33mmuspjk=
X-No-Archive: Yes
X-Face: '#R~-oJz-_!iXhczPJ;=w1(`5-uQ2$0qHB7KKDV,]VoAC!P?swaa#m|eB<DkOt*XH=~9C[g S^w)b,)1q,{P\7Z3H,N(^m.YKuYM//B{X:PvbDk.|:g:$wVr*3*)[K6F+k\z-s32+oB]YJPy11wuGGz'bQAk~1.b1[;M{^A2@bboIENBB:Wd:<Fm~r7OuiJA1g}7KC-T'>Du+
X-Face-What-Is-It: Capture Bee from Galaga
 by: Andreas Kohlbach - Sat, 12 Jun 2021 15:30 UTC

On Sat, 12 Jun 2021 14:17:15 +0100, The Natural Philosopher wrote:
>
> On 12/06/2021 12:30, Tauno Voipio wrote:
>> On 12.6.21 14.03, Marc Haber wrote:
>>>
>>> Usually, on a properly functioning switch, Client B cannot "see" the
>>> traffic that occurs between Clients A and C despite being able to both
>>> communicate with A and C.
>>>
>>> Greetings
>>> Marc
>>
>> WiFi is a different beast: It is more like the original
>> yellow coax cable Ethernet, where everybody heard everyting
>> going on the network.
>>
> Up to a point. Traffic is enrcypted on WPA/WPA2.

The connection between devices and the router is, not the traffic between
them. Not by default.
--
Andreas

Re: Ethernet switching

<sa2k0d$ujr$3@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5229&group=comp.os.linux.misc#5229

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ethernet switching
Date: Sat, 12 Jun 2021 16:31:25 +0100
Organization: A little, after lunch
Lines: 52
Message-ID: <sa2k0d$ujr$3@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <sa2951$onf$1@dont-email.me>
<60c4beb0$0$3706$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 12 Jun 2021 15:31:25 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="31355"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+68999bhT9TiS1MIPZclOmx5gqcjayQgI="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:3mOsCE703WxY+a8TGk2Owts+EpQ=
In-Reply-To: <60c4beb0$0$3706$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 15:31 UTC

On 12/06/2021 15:03, Pascal Hambourg wrote:
> Le 12/06/2021 à 14:26, The Natural Philosopher a écrit :
>> On 12/06/2021 12:03, Marc Haber wrote:
>>> Usually, on a properly functioning switch, Client B cannot "see" the
>>> traffic that occurs between Clients A and C despite being able to both
>>> communicate with A and C.
>>
>> It all depends what you mean by 'see'...
>
> See = receive.
>
>> Switches will only relay packets to MAC addresses known to be on a
>> given segment.
>
> No.
>
>> Initial discovery is done, on an IP network, by means of an Ethernet
>> 'all stations' broadcast.
>
> No.
>
>> Two computers on a switch may 'see' each other, but that's only
>> because they have stored the same relationship between IP address and
>> MAC address, in their own 'ARP' tables.
>
> No.
>
>> A google of Address Resolution Protocol and Ethernet Broadcast should
>> make it all clear.
>
> ARP has nothing to do with a switch operation. ARP is specific to IPv4
> operation.
>
>> What port mirroring does is stop the switch from being selective about
>> which port it sends an MAC address directed packet down, and send it
>> to other or all ports.
>
> No.
>
>> If you have a linux or *nix machine, tcpdump enables you to see that
>> all traffic on a given Ethernet segments is *apart from Ethernet
>> broadcasts* limited to that machine alone.
>
> No.
I see you dont understand basic networking

When you do, please respond intelligently

--
No Apple devices were knowingly used in the preparation of this post.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2k5n$ujr$4@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5230&group=comp.os.linux.misc#5230

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 16:34:15 +0100
Organization: A little, after lunch
Lines: 33
Message-ID: <sa2k5n$ujr$4@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <sa25s9$224$1@dont-email.me>
<sa2c4r$c2p$2@dont-email.me> <877diz3xt4.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 15:34:15 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="31355"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX192EuoL537L8q+Lpu49cim0ayT7RxHjNcs="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:tkDAHdfVHq12ZD8vpEozB+DTs+c=
In-Reply-To: <877diz3xt4.fsf@usenet.ankman.de>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 15:34 UTC

On 12/06/2021 16:30, Andreas Kohlbach wrote:
> On Sat, 12 Jun 2021 14:17:15 +0100, The Natural Philosopher wrote:
>>
>> On 12/06/2021 12:30, Tauno Voipio wrote:
>>> On 12.6.21 14.03, Marc Haber wrote:
>>>>
>>>> Usually, on a properly functioning switch, Client B cannot "see" the
>>>> traffic that occurs between Clients A and C despite being able to both
>>>> communicate with A and C.
>>>>
>>>> Greetings
>>>> Marc
>>>
>>> WiFi is a different beast: It is more like the original
>>> yellow coax cable Ethernet, where everybody heard everyting
>>> going on the network.
>>>
>> Up to a point. Traffic is enrcypted on WPA/WPA2.
>
> The connection between devices and the router is, not the traffic between
> them. Not by default.
>

What on earth does that mean?

All traffic goes via the wifi point so all traffic is encrypted...

Only once on ethernet will it be 'in clear', but if an ethernet switch
is involved only the switch sees that traffic apartr from th end pint

--
No Apple devices were knowingly used in the preparation of this post.

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<874ke33xl6.fsf@usenet.ankman.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5231&group=comp.os.linux.misc#5231

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ank...@spamfence.net (Andreas Kohlbach)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 11:35:17 -0400
Organization: https://news-commentaries.blogspot.com/
Lines: 25
Message-ID: <874ke33xl6.fsf@usenet.ankman.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<sa06es$vdv$1@gioia.aioe.org> <87o8cc3yys.fsf@usenet.ankman.de>
<sa1r90$kpn$4@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="bd400a0c745280c2d62eb96339ff6780";
logging-data="31411"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18CMs2ySrS9fcVwcKS+m0Nf"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:ilKeWDLOB6dZbPQy5JVKfFkTs5Y=
sha1:bLzSksakq9rjcEIp4J74dm49R9c=
X-Face: '#R~-oJz-_!iXhczPJ;=w1(`5-uQ2$0qHB7KKDV,]VoAC!P?swaa#m|eB<DkOt*XH=~9C[g S^w)b,)1q,{P\7Z3H,N(^m.YKuYM//B{X:PvbDk.|:g:$wVr*3*)[K6F+k\z-s32+oB]YJPy11wuGGz'bQAk~1.b1[;M{^A2@bboIENBB:Wd:<Fm~r7OuiJA1g}7KC-T'>Du+
X-Face-What-Is-It: Capture Bee from Galaga
 by: Andreas Kohlbach - Sat, 12 Jun 2021 15:35 UTC

On Sat, 12 Jun 2021 09:29:20 +0100, The Natural Philosopher wrote:
>
> On 11/06/2021 21:53, Andreas Kohlbach wrote:
>> On Fri, 11 Jun 2021 17:27:56 +0000 (UTC), Anass Luca wrote:
>>>
>>> Margin <M287v1.cloud> wrote:
>>>> Say you have an office with 100, or 500, PCs - mostly Windows.
>>>
>>> If this is true, then the remainder of your post should have gone to a
>>> windows newsgroup.
>> I suppose he wants to examine the situation from a Linux computer,
>> which
>> is likely not to be impacted by ransomware. Doing this from a Windows
>> computer will likely backfire.
>>
> It is perfectly possible to have a SAMBA server whose entire SMB
> exported filesystem is now trash

I was assuming the *imported* filesystem (that of the Windows machine) is
already compromised.

Of course you don't want to export (at least not read-write) your file
system to a compromised machine.
--
Andreas

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2kig$68n$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5232&group=comp.os.linux.misc#5232

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 16:41:03 +0100
Organization: A little, after lunch
Lines: 46
Message-ID: <sa2kig$68n$1@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<sa06es$vdv$1@gioia.aioe.org> <87o8cc3yys.fsf@usenet.ankman.de>
<sa1r90$kpn$4@dont-email.me> <874ke33xl6.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 12 Jun 2021 15:41:04 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="6423"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/6buIVcuyQOt5WxQv2wHkHxKVCSiYbmDs="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:+hXCZNkqljMdTGg3ivg/buCmYVw=
In-Reply-To: <874ke33xl6.fsf@usenet.ankman.de>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 15:41 UTC

On 12/06/2021 16:35, Andreas Kohlbach wrote:
> On Sat, 12 Jun 2021 09:29:20 +0100, The Natural Philosopher wrote:
>>
>> On 11/06/2021 21:53, Andreas Kohlbach wrote:
>>> On Fri, 11 Jun 2021 17:27:56 +0000 (UTC), Anass Luca wrote:
>>>>
>>>> Margin <M287v1.cloud> wrote:
>>>>> Say you have an office with 100, or 500, PCs - mostly Windows.
>>>>
>>>> If this is true, then the remainder of your post should have gone to a
>>>> windows newsgroup.
>>> I suppose he wants to examine the situation from a Linux computer,
>>> which
>>> is likely not to be impacted by ransomware. Doing this from a Windows
>>> computer will likely backfire.
>>>
>> It is perfectly possible to have a SAMBA server whose entire SMB
>> exported filesystem is now trash
>
> I was assuming the *imported* filesystem (that of the Windows machine) is
> already compromised.
>
> Of course you don't want to export (at least not read-write) your file
> system to a compromised machine.
>
Practically speaking so long as you have machines with internet access
they can be compromised, although its a lot harder and less rewarding
for hackers to construct traps for linux

Trying to identify who caught it first when everyone is infected is
rather pointless.

The real solution is to hold data on a Linux machine as a file/cloud
server, and back it up to another Linux machine.

Once you have a nasty loose on your internal network, only a change of
operating system/network protocol and or another internal firewall will
protect you

--
“The ultimate result of shielding men from the effects of folly is to
fill the world with fools.”

Herbert Spencer

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<iik39oFq1v2U1@mid.individual.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5233&group=comp.os.linux.misc#5233

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: jpstew...@personalprojects.net (John-Paul Stewart)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 11:48:07 -0400
Lines: 33
Message-ID: <iik39oFq1v2U1@mid.individual.net>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <87a6nv3xy4.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 4vP6ydzasYExXRBFNUJGUAAAsvyi1saHQajBG/lmmKLB1+ToZ2
Cancel-Lock: sha1:yqKkMHs/lsKHP5WrJZ7mEcYBjTE=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
In-Reply-To: <87a6nv3xy4.fsf@usenet.ankman.de>
Content-Language: en-CA
 by: John-Paul Stewart - Sat, 12 Jun 2021 15:48 UTC

On 2021-06-12 11:27 a.m., Andreas Kohlbach wrote:
> On Sat, 12 Jun 2021 13:03:18 +0200, Marc Haber wrote:
>>
>> Andreas Kohlbach <ank@spamfence.net> wrote:
>>>
>>> I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>>> being 192.168.0.1, and they all can "see" each other. There was no need
>>> for any "port mirroring" or other configurations after I received it.
>>
>> Usually, on a properly functioning switch, Client B cannot "see" the
>> traffic that occurs between Clients A and C despite being able to both
>> communicate with A and C.
>
> I agree. But on this "cable-modem-wifi-router" (and on all others I
> encountered before) "seeing each other" is default. I could change the
> settings, but want clients to be able to exchange data.

WiFi is vastly different than a wired, switched network which is what
the original poster specifically mentioned. Plus, your home
"cable-modem-wifi-router" device is vastly different than what you'll
find in a corporate network. (The OP mentioned 100 or 500 systems).
There, you'll have a router at the edge, a separate firewall, then one
or more switches to the PCs on the LAN. The switch passes traffic
between PCs on the LAN, but the router and firewall don't ever see any
of that internal traffic.

That doesn't mean the devices aren't "seeing each other". They can and
do communicate with each other. What they don't see are the network
packets NOT addressed to them. I.e., they can communicate directly with
each other but they can't snoop on third-party LAN communications.
You're conflating the concept of "seeing each other" with "reading each
other's communications".

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2ltd$5jd$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5234&group=comp.os.linux.misc#5234

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a8d0.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 18:03:57 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <sa2ltd$5jd$1@news1.tnib.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com> <iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de> <sa249m$2q5$1@news1.tnib.de> <87a6nv3xy4.fsf@usenet.ankman.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 16:03:57 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a8d0.versanet.de:92.116.168.208";
logging-data="5741"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sat, 12 Jun 2021 16:03 UTC

Andreas Kohlbach <ank@spamfence.net> wrote:
>On Sat, 12 Jun 2021 13:03:18 +0200, Marc Haber wrote:
>>
>> Andreas Kohlbach <ank@spamfence.net> wrote:
>>>
>>>I have (WIFI) clients at 192.168.0.100 to 192.168.0.110, with the router
>>>being 192.168.0.1, and they all can "see" each other. There was no need
>>>for any "port mirroring" or other configurations after I received it.
>>
>> Usually, on a properly functioning switch, Client B cannot "see" the
>> traffic that occurs between Clients A and C despite being able to both
>> communicate with A and C.
>
>I agree. But on this "cable-modem-wifi-router" (and on all others I
>encountered before) "seeing each other" is default. I could change the
>settings, but want clients to be able to exchange data.

"Seeing each other" and "exchanging data" does not mean "being able to
eavesdrop arbitrary traffic between two unrelated hosts".

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Ethernet switching

<sa2lvq$5vd$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5235&group=comp.os.linux.misc#5235

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74a8d0.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.misc
Subject: Re: Ethernet switching
Date: Sat, 12 Jun 2021 18:05:14 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <sa2lvq$5vd$1@news1.tnib.de>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com> <iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de> <sa249m$2q5$1@news1.tnib.de> <sa2951$onf$1@dont-email.me> <60c4beb0$0$3706$426a74cc@news.free.fr> <sa2k0d$ujr$3@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 16:05:14 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74a8d0.versanet.de:92.116.168.208";
logging-data="6125"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sat, 12 Jun 2021 16:05 UTC

The Natural Philosopher <tnp@invalid.invalid> wrote:
>I see you dont understand basic networking
>
>When you do, please respond intelligently

Pascal is right, and my upbringing forbids me to say what I think
about you.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Ok - Assume Ransomware - How to find THE Box Responsible ?

<sa2mci$iih$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5236&group=comp.os.linux.misc#5236

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: Ok - Assume Ransomware - How to find THE Box Responsible ?
Date: Sat, 12 Jun 2021 17:12:01 +0100
Organization: A little, after lunch
Lines: 57
Message-ID: <sa2mci$iih$1@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <87a6nv3xy4.fsf@usenet.ankman.de>
<iik39oFq1v2U1@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 16:12:02 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="aa78ca91d27bd4cb083c78a022450b8f";
logging-data="19025"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+dg7/BxRJNxomxtPDKoh5qcCTseWLo2kM="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:Z3uZr3nLrwJk2wTRj+fPd69J8PA=
In-Reply-To: <iik39oFq1v2U1@mid.individual.net>
Content-Language: en-GB
 by: The Natural Philosop - Sat, 12 Jun 2021 16:12 UTC

On 12/06/2021 16:48, John-Paul Stewart wrote:
> WiFi is vastly different than a wired, switched network which is what
> the original poster specifically mentioned.

That depends on the company size.

Many SME setups are essentially domestic broadband ones with just more
computers on them. And more wifi points

> Plus, your home
> "cable-modem-wifi-router" device is vastly different than what you'll
> find in a corporate network.

Again although it could be, I am not convinced it often is. If you don't
have a dedicated IT department to set it up and support it chances are
it wont be...

(The OP mentioned 100 or 500 systems).
> There, you'll have a router at the edge, a separate firewall, then one
> or more switches to the PCs on the LAN.

Not necessarily, It MIGHT be managed as 10 separate LANS each with its
own broadband connection. And possibly a few routers connecting them.
Its often cheaper and avoids hassle with people complaining about 'the
corporate network'.

I long ago found out that the cost of 'one printer per department' was
vastly cheaper than supporting 'one corporate printer'

In many cases what is appropriate is not one 'flat' Windows network, but
a series of quasi autonomous networks with routers and firewalls
between them that have access to one or more 'corporate' servers on
rather different networks.

That means that problems in one network do not propagate too far.

> The switch passes traffic
> between PCs on the LAN, but the router and firewall don't ever see any
> of that internal traffic.
>
They see the broadcasts, but I am nit picking...

> That doesn't mean the devices aren't "seeing each other". They can and
> do communicate with each other. What they don't see are the network
> packets NOT addressed to them. I.e., they can communicate directly with
> each other but they can't snoop on third-party LAN communications.
> You're conflating the concept of "seeing each other" with "reading each
> other's communications".

Yup.

--
Microsoft : the best reason to go to Linux that ever existed.

Re: Ethernet switching

<sa2mdl$hfp$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5237&group=comp.os.linux.misc#5237

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan1es...@gmail.com (Dan Espen)
Newsgroups: comp.os.linux.misc
Subject: Re: Ethernet switching
Date: Sat, 12 Jun 2021 12:12:36 -0400
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <sa2mdl$hfp$1@dont-email.me>
References: <6ko5cgtbj4sqqc5sepj8l9omd009mcbqv8@4ax.com>
<iiicpdFg188U1@mid.individual.net> <87fsxn4laz.fsf@usenet.ankman.de>
<sa249m$2q5$1@news1.tnib.de> <sa2951$onf$1@dont-email.me>
<60c4beb0$0$3706$426a74cc@news.free.fr> <sa2k0d$ujr$3@dont-email.me>
<sa2lvq$5vd$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="3100005126c9fbd854fbecc3636235af";
logging-data="17913"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/vcvqSdphTRQQ+FZmO7jwseWsQDrkYu+M="
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:0Udc2iB3UbJxqflHQNzkaiK+2aw=
 by: Dan Espen - Sat, 12 Jun 2021 16:12 UTC

Marc Haber <mh+usenetspam1118@zugschl.us> writes:

> The Natural Philosopher <tnp@invalid.invalid> wrote:
>>I see you dont understand basic networking
>>
>>When you do, please respond intelligently
>
> Pascal is right, and my upbringing forbids me to say what I think
> about you.

He may be right, but it would be nice if he gave some hints so some of us
could learn something.

--
Dan Espen

Pages:123
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor