Simple DNS log per host? Pfblocker? Ntopng?

bingo600

@mikegraw376

Just something to be aware of.

You might be able to log DNS from IoT devices for now ... simple queries.

But DoH will interfere with that soon (terrible)

If your kids are using Chrome , they'll (chrome will) bypas normal DNS, and use DoH.

All you will see is a series of HTTPS requests.
/Bingo

MikeGraw376

@bingo600 said in Simple DNS log per host? Pfblocker? Ntopng?:

@mikegraw376
If your kids are using Chrome , they'll (chrome will) bypas normal DNS, and use DoH.

All you will see is a series of HTTPS requests.

Thanks for that, I heard about this before. I’m not all that worried yet. DoH still has to be enabled manually at this point and my family members don’t have a clue about IT so I can still service all devices and disable it where applicable.
We mostly use macs and iOS devices.

You reckon IoT crap will start to use DoH anytime soon?

Mike

bingo600

@mikegraw376 said in Simple DNS log per host? Pfblocker? Ntopng?:

You reckon IoT crap will start to use DoH anytime soon?

Depends ....
DoH will enable the company to "sniff" all your requests , as they could use DoH servers they control. For Google i'd say yes (speakers etc) , just to collect more info.

For an ESP8266 WiFi switch ...
It would prob depend on if they are already using HTTPS for fw-update or registering , then the code is already in the device.
A small company they would prob not have own DoH servers, so they will claim security as the benefit.

In general i'd say for smaller companys ... Not yet.

/Bingo

MikeGraw376

@bingo600
Insightful, thanks. As I’m allergic to data collectors, tracking, sniffing etc I don’t use any google products. We use the apple Ecosystem exclusively for our personal devices. Then I have synology, UniFi and now pfsense.
I’m thinking about Philips hue, put them in a sealed off VLAN,
Actually I don’t want them to phone home and scramble it, I don’t want them to know when I turn on my lights.

A Former User

@mikegraw376 The bulb talks to some service, your controller app then talks to that service to control the bulb. That's how I(nternet!)oT works. It's not local. So, yeah, they are going to know when you turn your lights on and off. A selling point is you can turn off the lights from the beach halfway around the world.

Issue is they're often easy to compromise and turn into zombie agents of bad stuff.

Smart phone that knows your every step. Credit cards that know your every purchase. Facial recognition in your city. Let's not loose sight of the forest while we worry about the trees.

bingo600

@mikegraw376 said in Simple DNS log per host? Pfblocker? Ntopng?:

I’m allergic to data collectors, tracking, sniffing etc I don’t use any google products.

Me neither , have the same attitude.

And i have a PinePhone , to avoid tracking there (well i can't avoid GSM Mast location) but else ...

@jwj

Let's not loose sight of the forest while we worry about the trees.

I'm doing my "forrest" one tree at a time, since i cant do them all.

/Bingo

MikeGraw376

@jwj valid points. Phones and facial recognition we can’t control. I just don’t want to help burglars giving them “nobody’s home, please come in” invitations. This is especially relevant during summer holidays, where we will be away for weeks.

Mike

A Former User

@bingo600 If you don't want someone to know when you turn your lights off you can't have IoT light bulbs. Simple. The genie is out of the bottle and F'n around with DNS or firewall rules isn't going to put him back in.

What happens to these companies when they screw up their security and let somebody steal the data? Never update the firmware and the devices get turned into bots? Nothing much. Slap on the hand. Small fine. They don't care. Caring costs too much money. All the while people still line up to buy their stuff. It's an own goal.

MikeGraw376

@jwj I suppose that was addressed to me :-). Well you are right, maybe I’ll stick with a dumb home for now instead of a smart home.
Mike

bingo600

@jwj said in Simple DNS log per host? Pfblocker? Ntopng?:

@bingo600 If you don't want someone to know when you turn your lights off you can't have IoT light bulbs. Simple. The genie is out of the bottle and F'n around with DNS or firewall rules isn't going to put him back in.

It depends .... on your capabilities
I have put Tasmota FW in my Sonoff wifi switches , now i can control them via "local web" & VPN

If i had HUE i'd look for something like this, and kick out the genie.
https://diyhue.org/#primary
https://diyhue.github.io/

/Bingo

A Former User

@bingo600 I imagine that took some time and effort. Sounds kinda cool. Have you looked at the source of that firmware? Trust it 100%.

The investment in time and effort to worry about light bulbs while using credit cards and mobile phones is upside down. Big effort for little things. Little effort for big things. That's the point I'm trying to make. By all means, if you can have your smart switches privately do so!

Take smart TV's. It sucks that they track everything. But I'm not all that worried that LG knows I watch Gilligan's Island at 3pm on Tuesdays. I have better things to do than worry about that.

The genie I am talking about is surveillance capitalism. Some of the wealthiest companies in the world exist on that business model. Making one set of smart home switches go dark has done F all to put the genie back in the bottle.

bingo600

@jwj said in Simple DNS log per host? Pfblocker? Ntopng?:

@bingo600 I imagine that took some time and effort. Sounds kinda cool. Have you looked at the source of that firmware? Trust it 100%.

Yepp i rebuild it my self from source.
The main point is to get away from the "Cloud" , and control it locally via LAN/VPN.
Then everything is "just firewalling" ...

Downside . The "fancy" Manufactor APP on your phone, will not work.
So there is a tradeoff.

But there are several "home server" web based systems , that makes things neat.

I like this one
https://www.home-assistant.io/

This is also polular
https://www.openhab.org/

/Bingo

MikeGraw376

@jwj I respectfully disagree. credit cards don’t expose my whereabouts other than inside the CC company. iPhones don’t do that either. IoT stuff is much easier to break in to and gives more insight in our home security.

That said, I don’t believe burglars will go through so much trouble hacking and analysing smart home stuff for our type of home. We’re not millionaires with large villas.

I suppose it’s a matter of risk (still tiny with careful VLAN segregating) and whether or not we will accept that risk to be able to enjoy the tech.
Mike

bingo600

@mikegraw376 said in Simple DNS log per host? Pfblocker? Ntopng?:

@jwj I respectfully disagree. credit cards don’t expose my whereabouts other than inside the CC company.

Unfortunately that's not true (at least here in DK - Føtex)
The smart laser-barcode pay terminals they are using here to scan your groceries etc.
They are connected to the CC Pay terminal , and do log your CC along with what you bought.

The secure payment transcation is encrypted end to end between the Pay terminal and the CC company. But the CC number is snagged by the store, and saved along with the items you bought.

/Bingo

A Former User

@mikegraw376 Home Depot. Their POS systems were compromised. Millions of CC and other details compromised. Not a singular event, just the one that comes to mind right now. You don't have to go after the big payment processors to get the goods. Lot's of links in the chain, some of them weak.

Crooks go after stuff when the effort is small and the payout is large. No one cares about you or me specifically. I'm not Jeff Bezos. You can and do get vacuumed up with millions of others.

The CC companies do sell the data. Don't even try to hide it. It's in the tiny print on you CC agreement or your Debit card. Your purchase history, including the location of each purchase is up for sale.

Apple. They vacuum up enormous amounts of data. They keep it long term. They say they don't sell that and right now I'm inclined to believe them. BUT, when some group of a-hole activist billionaire investors buy themselves a seat on the board of directors that could change in a heartbeat. If the data exists it can and most likely will be monetized. It's so attractive. Companies and their investors can go from zero to hero overnight. Has never been like this before. Facebook, Google. From nothing to HUGE, overnight (relatively speaking). The days of companies making things that people buy and doing so overtime is so 20th century. Too little money too slowly.

The only way to get around this is to enact privacy laws that make surveillance capitalism unprofitable or illegal. Not seeing that anytime soon.

A Former User

@bingo600 For sure you guys are better off than those of us in the US. I'm more than a little jealous.

Germany, as an example, has managed things with a level of intelligence that has become all to rare. I would guess that's because they can afford to, still having a strong industrial economic base built on a highly skilled and motivated workforce.

You're in Denmark? How are things? Pandemic and otherwise.

MikeGraw376

@jwj that may all be true, and I hate it to be, but all of that still doesn’t give away specific patterns of home occupation like IoT stuff could.

Well I think this is the case but I may be totally wrong. And if I am in fact wrong, it doesn’t even matter: as long as I consider home automation to be a security threat, id rather stay disconnected.

Many gadgets shown in “back to the future Part2” have now been implemented. All except for a time flying DeLorean.

Mike

A Former User

@mikegraw376 Again, let's not get this upside down. No one is going after smart light bulb companies to get at you specifically. We agree on that. The mail man, Amazon delivery person, stoner kid down the street. They know when you're home or not. You can keep people from walking in through the backdoor while you're not home while at the same time bad guys ARE trying to suck your bank account dry along with lots of others. All because companies have no real financial incentive to care about securing your data. Worried about little things that have small chance of happening. While other real threats (to security and privacy) go unaddressed.

Look, do what feels good to you, not for me to say. The real privacy (and the areas where security and privacy overlap) issues lie elsewhere.

bingo600

@jwj said in Simple DNS log per host? Pfblocker? Ntopng?:

@bingo600 For sure you guys are better off than those of us in the US. I'm more than a little

You're in Denmark? How are things? Pandemic and otherwise.

Re Corona:
Our daily infected rate has trippled from 700 to 2100.

But we only have 480 persons in hospital , and around 45 in ICU , where 28 are in respirator.

The Govmt. has shut down Resturants & Bars for 50% of the country (regional shutdowns).
And made online education for students 5'grade & up
We have to wear masks in shops & publ transportation.

They fear Xmas where families across country gather.

Edit : We're around 5.5 Mill ppl. , so not even NY Size.

/Bingo

A Former User

@bingo600 Are people being, generally, smart? Understanding that it's not obedience but a sense of collective self preservation.

Something that has been absent here in the US. :(

Anyhow, be well! I have noted those projects you shared for future messing around. :)