@cmb:
@firewalluser:
Govt's especially the military have far greater resources than most businesses.
Which was exactly my point. They also likely wouldn't be so sloppy about it as to get caught repeatedly. You have to be deploying systems over and over again with the same security hole(s) that eventually someone scanning finds and owns. Unless you're a high profile target, no one's going to waste a high value 0 day on you. Every time you use it, it's more likely to be found out.
Who needs a 0 day as you rightly point out below, but then do you buy the stories the Govt dont have the money for xyz?
@firewalluser:
I think that only one device namely a rpi was used to access and configure pfsense on the default lan and all other additional nics to internal machines had to be enabled to the extent I have detailed here https://forum.pfsense.org/index.php?topic=92804.msg517267#msg517267
would suggest reasonable precautions had been taken?
I would call that reasonable precautions. That's far better than most people.
Still plenty of ways to be compromised. Some incident response definitely would be justified to figure out how that's happening to you.
Well if my hd's with packet capture data and others werent being trashed I'd be able to provide something, unfortunately my hd's keep being trashed, making it difficult to provide any such data for analysis.
But if you needed a backdoor into a system, hardware is where I'd put it as its virtually impossible to inspect as this vid explains from 2007.
https://www.youtube.com/watch?v=VV_v_OEOhH0
Wake on lan has been around years since 1996. http://en.wikipedia.org/wiki/Wake-on-LAN#History
So do you (or anyone else*) have any suggestions to overcome the hw issues? Apart from using older hw and perhaps usb nics (although some would suggest not using them) I dont have any other ideas to avoid getting hacked which could prove the hacking methods used especially considering this post of mine from earlier on in the year. https://forum.pfsense.org/index.php?topic=88180.msg486376#msg486376
*Like I said to Kejianshi, the logical thing to do is unplug from the net.