Charter internet vs AT&T Fiber

[harshness]

MacOS malware is getting pretty insidious. I read yesterday that there's now a "popular" MacOS malware strain (the Pirrit Safari adware extension) that has been rejiggered to attack the M1 SoC.

Modern operating systems shouldn't need hardware firewalls to play on the Internet. That Apple has always played innocent until they have a solution (or someone rats them out for not speaking up -- a more and more popular pastime) isn't helping.

 

[Juan]

For the att fiber
If its like verizon fios ( pon..passive optical network)
The big advantage is that if you have a generator during a power outage ..it will work

Just make sure the ont gets powered by the generator

 

[ncted]

MacOS malware is getting pretty insidious. I read yesterday that there's now a "popular" MacOS malware strain (the Pirrit Safari adware extension) that has been rejiggered to attack the M1 SoC.

Modern operating systems shouldn't need hardware firewalls to play on the Internet. That Apple has always played innocent until they have a solution (or someone rats them out for not speaking up -- a more and more popular pastime) isn't helping.

Shouldn't is subjective. Modern OSes are huge, complicated things, not to mention browsers with armies of developers working on them in their own style. The attack surface is enormous. A host-based IPS used to be enough (and I run AIDE on our Macs, in addition to the built-in Xprotect). The real issue for things like that which used to work fine is all the settings are in an encrypted database now instead of in easily readable and stat-able flat files, so it isn't as easy to detect changes. e.g. What is the point of hiding the modification time and checksum on the list of DNS servers if the contents of the list are still available via the resolver?

Anyway, it has become clear to me that a more multi-layered approach is necessary to detect and protect against this kind of thing. I cannot trust the OS itself to recognize the infection, even with help from additional security software.

 

[ncted]

For the att fiber
If its like verizon fios ( pon..passive optical network)
The big advantage is that if you have a generator during a power outage ..it will work

Just make sure the ont gets powered by the generator

So far, experience has shown me that, if the power goes out, AT&T Fiber will be out for at least as long. The fiber feed is seemingly on the same poles as the neighborhood's power feed, and the power gets fixed first. Spectrum seems to be somewhat less susceptible, but not immune by any means. I don't have a generator (yet anyway). I wish we just had Fios like Verizon advertised we would in the early 2000s when we moved to Durham. They had actual billboards up telling everyone they would be getting it, right up until they sold us off to Frontier.

 

[Juan]

So far, experience has shown me that, if the power goes out, AT&T Fiber will be out for at least as long. The fiber feed is seemingly on the same poles as the neighborhood's power feed, and the power gets fixed first. Spectrum seems to be somewhat less susceptible, but not immune by any means. I don't have a generator (yet anyway). I wish we just had Fios like Verizon advertised we would in the early 2000s when we moved to Durham. They had actual billboards up telling everyone they would be getting it, right up until they sold us off to Frontier.

Does it have ont?.. the fiber doesn't have repeaters..the laser is in the ont( nid ).. if that has power you are goldeb

 

[ncted]

Does it have ont?.. the fiber doesn't have repeaters..the laser is in the ont( nid ).. if that has power you are goldeb

It does have an ONT. I have it on UPS. Every time we've lost power, the ONT loses link, so that is why I think the uplink(s) out of the neighborhood must be on the same poles as the power. Could be another explanation, but I am not sure what.

 

[Juan]

It does have an ONT. I have it on UPS. Every time we've lost power, the ONT loses link, so that is why I think the uplink(s) out of the neighborhood must be on the same poles as the power. Could be another explanation, but I am not sure what.

if its fiber to the house..the ont is on the side of the house and it uses your power but if the ont is on a pole..and they run coax to your house..its commercial power

 

[ncted]

if its fiber to the house..the ont is on the side of the house and it uses your power but if the ont is on a pole..and they run coax to your house..its commercial power

The ONT is in my wiring closet, on my power. There is armored fiber running from the ONT to the street box. The poles are at the exit of the PUD, on the state highway. Everything is underground inside the PUD and on poles outside the PUD.

 

[Juan]

The ONT is in my wiring closet, on my power. There is armored fiber running from the ONT to the street box. The poles are at the exit of the PUD, on the state highway. Everything is underground inside the PUD and on poles outside the PUD.

So if you are in texas like situation..and need a generator because you lost power for a week or so..you can have internet...cable uses commercial power

 

[ncted]

So if you are in texas like situation..and need a generator because you lost power for a week or so..you can have internet...cable uses commercial power

Yeah, I get what you are saying. In theory, the fiber should be more reliable during a power outage, as long as I can get power to the ONT and the RG. In practice, every time we have an ice storm and power goes out for a day or two, the fiber is out just as long if not longer because the upstream line has been cut in the same place the power is. The cable is underground all the way to the fiber ring connection, which is the opposite direction the power and fiber lines run. The cable was put in when the neighborhood was built in the late 90s. The Fiber was added in 2015/16. AT&T is not the ILEC, so they had to run new fiber on poles and then they microtrenched once inside the PUD.

 

[harshness]

The real issue for things like that which used to work fine is all the settings are in an encrypted database now instead of in easily readable and stat-able flat files, so it isn't as easy to detect changes.

I almost hope that those who dreamed up nightmares like the Windows Registry and XML will be the end of their bloodlines. When an application requires a full-blown interpreter just to parse its parameters, there's something rotten going on.

The OS itself isn't typically the entry point. The entry point is sloppy Internet client software and anything that resembles Microsoft Office with all of its inter-application interactivity (this includes anything and everything from Adobe).

Webkit has always been fraught for some reason and trying to keep up with all of the Windows runtimes and virtual machines will perhaps never be solved.

The networking hardware side of things presents its own plethora of issues. Whether it is Cisco, DLink, Juniper, Netgear or someone else, there's fundamental router/switchgear vulnerabilities found every week. Pick your poison -- ease of use versus ease of entry.

 

[ncted]

The networking hardware side of things presents its own plethora of issues. Whether it is Cisco, DLink, Juniper, Netgear or someone else, there's fundamental router/switchgear vulnerabilities found every week. Pick your poison -- ease of use versus ease of entry.

I chose Synology for a reason -- their regular updates. It is essentially a small business router, which expects security holes to be fixed quickly.

 

[harshness]

I chose Synology for a reason -- their regular updates. It is essentially a small business router, which expects security holes to be fixed quickly.

My two-year-old Linux installation gets more frequent updates that take far less time than my Synology NAS to run. Further, Debian usually doesn't have to reboot when it gets its updates (even Kernel updates). My Synology NAS is usually out of commission for at least ten minutes when doing a point point update.

Blaming bad user behavior on software and firewalls is to ignore the real problem but you can't say enough bad things about companies that regularly hit the 7.6 mark or higher in the CERT vulnerability report.

 

[ncted]

My two-year-old Linux installation gets more frequent updates that take far less time than my Synology NAS to run. Further, Debian usually doesn't have to reboot when it gets its updates (even Kernel updates). My Synology NAS is usually out of commission for at least ten minutes when doing a point point update.

Blaming bad user behavior on software and firewalls is to ignore the real problem but you can't say enough bad things about companies that regularly hit the 7.6 mark or higher in the CERT vulnerability report.

I think I am missing your point. Are you using your NAS as a router? I did not order a NAS. I ordered a router (which does do some rudimentary NAS functions, like most modern routers). Synology issues quarterly updates for their router products, plus interim patches as needed. I am not interested in managing Snort myself, thanks very much. I spend all day working with arcane technology problems. I don't want to do it in my spare time too.

Not sure about the update times -- I found no mention of that being an issue in any of the reviews or comments I read. I guess I'll find out.

I cannot find the report you reference which ranks companies, so I don't know which company you are referring to. Apple? Synology?

As for bad user behavior, yes that is a major factor in most breaches, but the reality is, you don't need to click on a phishing link to get infected. Malware in ads, trackers, etc. are a major source of infections that are almost impossible to completely avoid if you want to use the web. At my work, most of the malware that Crowdstrike detects is in tracking beacons. This is why people need more than just a NAT between them and the internet. At the very least, they need something to detect suspicious activity on their network.

 

[harshness]

I ordered a router (which does do some rudimentary NAS functions, like most modern routers).

I've never thought of Synology as a router vendor. I learned something.

Synology issues quarterly updates for their router products, plus interim patches as needed. I am not interested in managing Snort myself, thanks very much. I spend all day working with arcane technology problems. I don't want to do it in my spare time too.

That's why I use pfSense. It is free and it handles the easy stuff as well as the arcane stuff and it has a long history along with great documentation and many tutorials.

I cannot find the report you reference which ranks companies, so I don't know which company you are referring to.

CERT ranks vulnerabilities, not companies. If you skim through the weekly reports, you'll see a rogue's gallery of companies that show up almost every week with something amiss. Adobe may get a bad rap because they're early in the alphabetical sorting, but there are others that you can almost always expect to find along with them. These reports are required reading for the hardcore worrywart:

Vulnerability Summary for the Week of February 8, 2021 | CISA

us-cert.cisa.gov

Each vulnerability is assigned a score from 0-10 (10 being dire).

As for bad user behavior, yes that is a major factor in most breaches, but the reality is, you don't need to click on a phishing link to get infected. Malware in ads, trackers, etc. are a major source of infections that are almost impossible to completely avoid if you want to use the web.

If you want to use the popular client tools (Chrome, Edge, Outluck, Acrobat Reader, Microsoft Office), yes. If you use the hardened ones, it is much safer and the penalty isn't usually all that stiff.

At my work, most of the malware that Crowdstrike detects is in tracking beacons. This is why people need more than just a NAT between them and the internet. At the very least, they need something to detect suspicious activity on their network.

You can choose to be paranoid or you can choose to educate. For home use, I'm not sold on giving myself an ulcer over what could possibly happen.

 

[Foxbat]

I have ordered a Synology RT2600AC router than can be configured with a real IPS/IDS.

That's what I got last year to retire my Apple Time Capsule, I've been very happy with its performance and capabilities. I have an 8TB external USB 3 HD for storage so I have plenty of room for my Time Machine backups and music.

I'll have to look into the IPS/IDS capabilities, though I didn't get it for that purpose.

 

[ncted]

That's what I got last year to retire my Apple Time Capsule, I've been very happy with its performance and capabilities. I have an 8TB external USB 3 HD for storage so I have plenty of room for my Time Machine backups and music.

I'll have to look into the IPS/IDS capabilities, though I didn't get it for that purpose.

Do you run the USB port at version 3 speeds or version 2? Time Machine backups seem a bit slow to finish with the default 2.0 speed.

 

[Foxbat]

I'm using the USB 3 port on the side, not the back. I'm not sure why all the USB ports aren't all USB 3.

 

[ncted]

I'm using the USB 3 port on the side, not the back. I'm not sure why all the USB ports aren't all USB 3.

I was referring to this setting under wireless:

 

[Foxbat]

Ah, yeah, I didn't select that. 5 GHz was my intended WiFi frequency instead of 2.4 GHz. Plus, I wanted the full USB speed.