What can access my computer

[bigpup]

ShieldsUp
https://www.grc.com/x/ne.dll?bh0bkyd2
This is a test of what your internet connection is doing to block access to your computer.

[mikeslr]

Hi bigpup,
I've clicked the 'thank you button'. But I'm not sure your post may not have the adverse effect of pushing me further into paranoia.

It being pre-first cup of coffee, I had accidentally opened Opera rather than my usual palemoon. Running GRC's All Ports test it revealed that port 443 was not shielded. About port 443 GRC advises:

"This port is used for secure web browser communication. Data transferred across such connections are highly resistant to eavesdropping and interception. Moreover, the identity of the remotely connected server can be verified with significant confidence. Web servers offering to accept and establish secure connections listen on this port for connections from web browsers desiring strong communication security.
Once established, web browsers inform their users of these secured connections by displaying an icon — a padlock, an unbroken key, etc. — in the status region of their window."

So far, using Palemoon, Mike Walsh's last Google-Chrome SFS and firefox for the same test port 443 was shielded. The comparison is particularly curious as I was running opera with its free vpn turned on.

Under all web-browsers so far, despite sitting behind both the routers and Bionicpup64's firewall, GRC reports that the system fails the 'ping' test: "Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

Will continue to explore, especially while running Bionicpup64's VPN application. But I wondered if there was some good reason for not configuring Puppy's firewall to block, drop or ignore ping requests; and if there wasn't how to accomplish that.

[mikeslr]

Just a brief update to my post. Tested "All ports" using firefox-esr, brave, iron-portable and vivaldi-portable. All showed that port 443, indeed all ports, were shielded.

Using Tor produced interesting results. See attached.

Using Tor.png (27.67 KiB) Viewed 612 times

The IP shown is not that associated with my system.
GRC advises:
Port 80:
"This is the primary port used by the world wide web (www) system. Web servers open this port then listen for incoming connections from web browsers. Similarly, when a web browser is given a remote address (like grc.com or amazon.com), it assumes that a remote web server will be listening for connections on port 80 at that location."

Port 993: "imap4 protocol over TLS/SSL"

Got a couple of things to do before setting up VPN. But I suspect that port 443 may be opened when you're using some device which employs a means to redirect your communications otherwise you may not be able to receive responses.

[williams2]

I wondered if there was some good reason for not configuring Puppy's firewall to block, drop or ignore ping requests

Puppy's firewall used to have pings (ICMP) blocked, by default.

Often, if your internet connection is through a router, or similar device, it is the router that is responding to the pings.

You can configure a device like a router to not respond to pings, or you can configure the router to forward the ports that the ping is using, which will then be blocked by Puppy's firewall.

Port 443 is used by https, that is, port 443 is used by most web pages.

[mikewalsh]

@mikeslr :-

Mm. Y'know, Mike, I've never been too sure as to quite how effective Steve Gibson's ShieldsUp! 'visibility' tests really are. You have to remember the site was originally set up around the turn of the Millennium - yes, it's been running for the best part of two decades! - and was specifically designed for Windows, which was in almost universal usage at that time.

Every time I've ever run the All-Ports test, or the UPnP test, I've always achieved a perfect "TruStealth" rating, or the "equipment has failed to respond to a single ping packet". Which I find just a wee bit TOO good to be true; consumer equipment just ain't "hardened" to anything like that degree, and I certainly haven't gone out of my way to set it up like that.....

I'd take all the test results with a pinch of salt, mate. A pretty large pinch, at that...! Much as we'd all of us love for Puppy to take credit for such "stealthiness", I doubt that's really the case.

T'other Mike.

[Wiz57]

I concur with Mike Walsh...I even ran those tests with this old netbook booted into Windows XP SP3,
everything "green" (stealth) but for ping. That's with only the Windows firewall running, though I
suspect it also has something to do with the way I connect to the net, via wife's smartphones
hotspot! Both ScPup32 and WinXP SP3, using a version of Palemoon to run the tests...
Wiz

[mikeslr]

Hi again All,

If the 'too good to be true' results from ShieldsUp are to be taken with a heavy dose of salt, then hopefully it's 'too bad to true' reports should be taken with a heavy dose of sugar.

Installed vpn-onoff and with it running my IP now showed as somewhere in France. The attached shows ShieldsUp report running Palemoon.

Using Palemoon & VPN.png (26.69 KiB) Viewed 593 times

The report on Google-Chrome-portable thru the VPN was similar but not identical: there were about the same number of open ports, all in the same area.
Of course, ShieldsUp must be examining the VPN server rather than the client on my computer. But, if that's the case I'm inclined to have more faith in the security provided by opera's vpn than VPNBook*. If opera has some holes in its wall, vpn-book is Jericho.

-=-=-=-=-=-
* IIRC, VPNBook is the default using vpn-onoff.

[mikeslr]

While I had this set up, recalling someone had posted a link to a website for testing DNS leaks, I searched the old forum and found cthisbear's post, http://murga-linux.com/puppy/viewtopic. ... 337#900337
FYI, the website is https://ipleak.net/
Using palemoon thru the VPN did not show my DNS, but all the servers it found were within a couple hundred miles of my location. Opera with its VPN active only shows servers on the other side of the Pond.

Cthisbear had noted "with Opera's VPN enabled and it will list a foreign IP address instead of your own, but scroll down to WebRTC detection and you'll see your true IP address staring back at you."

That was in 2016 and the flaw has been corrected, sort of. Nothing hinted of my actual location until I authorized ipleak to undertake ... detection.. While it did not find my home, it found my neighborhood. Well, simple solution. As Dr. Kronkheit said, "Don't do that."

I'll have to make the effort to see if ProtonVPN (free version) can do better than Opera. Of course, the common wisdom is 'you only get what you pay for'. But I've yet to find a reason why I need to hide.

Tor: With VPN Off, I opened Tor to https://ipleak.net/. All 100 DNS tests errored out. Geolocation was 'not supported by this browser'. WebRTC section reported: 'No leak, RTCPeerConnection not available.' The map displayed has me not merely on the wrong side of the Pond, but somewhere in Germany. Replacing the option to authorize it is the notice 'Geolocation is not supported by this browser'.
With VPN On, I could open Tor to https://www.grc.com/x/ne.dll?bh0bkyd2. But, upon clicking the Proceed button to run tests, Tor crashed. Ditto what Dr. Kronkheit said.

[user1111]

Google products/programs all interface. Run chrome and you're giving it permission to run many things, and in the background even when not actually loaded/running, and that circumvents even outbound firewalls (set iptables to block 80/443 traffic and google will still see/get out).

For inbound, if a port has nothing attached then requests go straight into the bit bucket. Hackers prefer to originate outbound requests, as typically the returns flow freely in even if a firewall is running. One way to get that outbound flow is to compromise software, albeit via polluting a repository or using program bugs in a manner that enables capture of the instruction pointer to point to something that the hacker wants to be run. Such processes/programs can be extremely small, literally just bytes - repeated looping of 'what do you want me to try' type requests sent to the hackers server, along with the result from the last thing it tried.

Unix was secure in that you only installed software from audited/secure sources, unlike Windows where users install programs from here-there-anywhere. Not perfect, as repos have at times been hacked, but far far better. Unix style communications/conveyance is/was also relatively secure, however with Windowfication nowadays far less so - such as common practices of running Chrome/whatever.

There's a cost/benefit factor. If you like what spyware such as Google offer, then the price paid is oneself. Google can and does record everything, your voice, activities, even encrypted data communications as today's uncrackable will in time become as visible as cracking 1980's type encryption methods today. Such that sooner or later Google will know more about you than even yourself. To avoid paying that price involves resorting to using other forms of communications methods - typically other protocols than pretty much Google owned http/https - of which there are many choices but generally that do not offer the same slick look-n-feel experience. On the plus side the alternatives are seeing a somewhat revival as http/s increasingly becomes unusable due to a barrage of monetisation.

Should you care? Nothing to hide? No more or less than what you care about your physical security. Kids playing chicken with trains is fun and cool in their minds, and many may get away with it, some don't.

Google records and associates IP/activities with individuals. Each keystroke and timing of keystrokes, mouse movements, locale, geolocation, OS, browser version, screen resolution, sites/searches, voice, image, biometrics, available fonts etc etc. etc. Even just one or two of those sorts of flags can be enough to pin things down to a specific individual. With DNS lookups and recording a clear snapshot of that destination at that time, any encrypted version of that same/similar site/web-page makes cracking the encryption so much easier (encrypted = key + clear-text, is little different to key = clear-text + encrypted). A better question IMO is not what might access your computer but rather to assume your computer is accessed freely, no different to using a public library computer. Assume breached and ponder the implications that involves and the methods you might employ accordingly.

[rcrsn51]

For inbound, if a port has nothing attached then requests go straight into the bit bucket.

So does running a firewall on your local machine serve any purpose at all?

[mikewalsh]

Google records and associates IP/activities with individuals. Each keystroke and timing of keystrokes, mouse movements, locale, geolocation, OS, browser version, screen resolution, sites/searches, voice, image, biometrics, available fonts etc etc. etc. Even just one or two of those sorts of flags can be enough to pin things down to a specific individual. With DNS lookups and recording a clear snapshot of that destination at that time, any encrypted version of that same/similar site/web-page makes cracking the encryption so much easier (encrypted = key + clear-text, is little different to key = clear-text + encrypted). A better question IMO is not what might access your computer but rather to assume your computer is accessed freely, no different to using a public library computer. Assume breached and ponder the implications that involves and the methods you might employ accordingly.

So, in other words - plain English, if you like - you make the unspoken assumption that EVERYONE is "out to get you" (or that they assume they have the God-given right to carve off a piece of your hide for their benefit).....and plan accordingly.

What a dismal, paranoid existence. (Although I appreciate that in your case there is "method" to the seeming "madness". No offence intended and, I hope, none taken.)

Aren't there even 'chinks' of light, somewhere in the above scenario? Christ almighty; what a way to have to live....

I hate to say it, Ruffers, but it's getting so every one of your posts over the last couple of years has just got more & more depressing as time goes by..! (Again; no offence intended, you understand?)

Mike.

[user1111]

For inbound, if a port has nothing attached then requests go straight into to the bit bucket.

So does running a firewall on your local machine serve any purpose at all?

netstat -tuplen ... on my system (I don't know if that command works in Puppy) indicates two ports that have listen(ers) running, for vnc and sshd, which I both configure to be servers. Our router (ISP's) has a firewall that blocks access to those ports unless configured to port forward. So running a firewall on my laptop is rather pointless. I want to be able to ssh and vnc into it from elsewhere on the LAN, if I instead ran a firewall and blocked those ports then I might as well just not bother have vnc or sshd running at all. If the system is a home LAN system with a active router firewall then subjectively a firewall on the PC can be pointless. In other cases, such as when out-and-about, a active firewall can be appropriate, if there is a/any service(s) running, otherwise there's nothing to access. I believe Puppy by default is set to have no open ports ??? If not then a firewall is just building a wall around a bottomless hole.

[user1111]

...(or that they assume they have the God-given right to carve off a piece of your hide for their benefit).....and plan accordingly.

What a dismal, paranoid existence. (Although I appreciate that in your case there is "method" to the seeming "madness".

Caring about online security is no different to caring about ones personal safety, neither paranoid nor madness. But you're of course free to disregard either/both. From a perspective of Walsh World - opining that its all a pleasant/safe world out there where you're gifted free (low cost) services by capitalist ventures for nothing else in return - it must be nice. In my past working life I have seen the extreme downsides arising out of the likes of identity theft leading to suicides, so yes a darker reality.

As I've outlined in the past, security doesn't have to be extreme, more often just simple measures can largely suffice (the move on to a even easier target concept), as there are many many potential victims who live in a Walsh World. Identity theft figures are not in the tens of millions but in the hundreds of millions ... and growing, and for some it will not be just a short lived experience, but one that can span decades (and for some that proves to be 'too much'). Depressing, yes, but with awareness - better standing.

[williwaw]

To avoid paying that price involves resorting to using other forms of communications methods - typically other protocols than pretty much Google owned http/https - of which there are many choices but generally that do not offer the same slick look-n-feel experience. On the plus side the alternatives are seeing a somewhat revival as http/s increasingly becomes unusable due to a barrage of monetisation.

Perhaps you could elucidate the alternative protocols? I'm guessing a google search would not be worthwhile.

[mikewalsh]

@rufwoof :-

'Walsh World'... Hah!

Trust me, I'm under no illusions about what life is like. It's a dog eat dog world out there, where there's too many folks who, rather than earn an honest crust and go about their life in a manner that they can sustain by their own means, instead see it as their right to live off the backs of hard-working folks who DO abide by the rules.

Yes, there ARE 'darker realities' to all aspects of life.....but why go on about it in such a way as to depress everybody else? Sounds like a case of "Well, I'M miserable, so why shouldn't everybody else be..?"

Just as there is badness out there, so there is a lot of good, too. Not everybody is out to steal from you/rape you/murder you/make your life a living hell, etc, etc....there's plenty of selfless individuals out there who put themselves out to make other people's lives pleasant, and often don't expect any recompense for their efforts.

Swings & roundabouts, mate.

Mike.