Blackhole microsoft's servers with the HOSTS file?

A bit ghetto, but 'maybe'?

You have a router so it should have a firewall or ACL. Block it there.

Static IP address, NO default gateway.

Disruptor wrote on Today, 16:30:

Static IP address, NO default gateway.

This, this will DEFINITELY work, as long as you dont have multiple private subnets.

You'll need to make sure the router's DHCP pool has a region reserved for static assignments to avoid accidental collisions.

If you do not need network access in windows, easiest thing to do would be to disable the network adapter in device manager.

wierd_w wrote on Today, 16:52:

Disruptor wrote on Today, 16:30:

Static IP address, NO default gateway.

This, this will DEFINITELY work, as long as you dont have multiple private subnets.

You'll need to make sure the router's DHCP pool has a region reserved for static assignments to avoid accidental collisions.

When you play with multiple private subnets, you have the knowledge how to configure permanent routes.
Example: NO default gateway, permanent route to 192.168.0.0/16 via router.

weedeewee wrote on Today, 17:09:

If you do not need network access in windows, easiest thing to do would be to disable the network adapter in device manager.

Hi, @weedeewee,
I was thinking the same, but we can’t be sure, that the micro$oft virus 10 (I mean win 10) doesn’t secretly use the NIC "internally", even when it’s "disabled" from "Device Manager" (or even if its the driver has been uninstalled).

I've heard the "conspiracy theory" about the hardware built-in Minix 3 OS in the newer intel CPUs and how they are still working in background, when the machine is "switched off", but still powered-on through PSU (+5V stand-by is there until you pull the power plug) and the network cable is plugged-in 😀

Router solution sounds better to me.

EDIT: Added quotation marks, where I missed them.

aVd wrote on Today, 18:31:

Hi, @weedeewee,
I was thinking the same, but we can’t be sure that the micro$oft virus 10 (I mean win 10) doesn’t secretly use the NIC "internally", even when it’s "disabled" from "Device Manager" (or even if its the driver has been uninstalled).

If you cannot be sure of this, you cannot be sure of anything, so there is nothing that can be done short of disconnecting the cable.

In practice - Windows cannot use the NIC if the device is disabled. However, it can randomly re-enable it after a reboot.

aVd wrote on Today, 18:31:

I've heard about the conspiracy theory about the hardware built-in Minix 3 OS in the newer intel CPUs and how they are still working in background, when the machine is "switched off", but still powered-on through PSU (+5V stand-by is there until you pull the power plug) and the network cable is plugged-in 😀

That wouldn't be Windows using it, that would be the Intel Management Engine, and as far as I know - it only works with Intel NICs.

Indeed. Also, the Management Engine is not as secure as Intel wants to pretend it is.

If attackers can get in, then sysadmins can too.

As I understand it, this has to happen very early in the boot process, but it's not like uefi shims arent things (used all the time).

It's disconcerting, but not wholly intractible.

dr_st wrote on Today, 18:38:

If you cannot be sure of this, you cannot be sure of anything, so there is nothing that can be done short of disconnecting the cable.

In practice - Windows cannot use the NIC if the device is disabled. However, it can randomly re-enable it after a reboot.

Hi, @dr_st,
Yep, I'm can't be 100% sure in this and I have zero trust in corporations, so I switched to less popular Linux distros in times of virus vista.

dr_st wrote on Today, 18:38:

That wouldn't be Windows using it, that would be the Intel Management Engine, and as far as I know - it only works with Intel NICs.

Hardware manufacturers have been playing along with m$ for decades, so I don't trust intel either. I don't trust IME (I usually obliterate this from the BIOS), and I don't believe, that CPU embedded Minix can not work in background while machine is "switched-off" by using data from the m$ virus sessions.

I even don't trust Red Hat's or Ubuntu's derivatives and I don't use those corporate bullsh33ts. Now you can call me "paranoid", but I still have some respect for personal space (including the personal data) and its inviolability 😉

Vogons Terms of Use :
Troll, derail, conspiracy theorise, or engage in other deliberately destructive behaviour

You stated your opinion.

Mine still is, Disable the NIC in windows device manager. and do the same for the WIFI adapter if there is any available in windows. not entering a password is not the way.

@weedeewee, it's not a conspiracy theory, I just missed the quotation marks. It's a conspiracy fact i.e. a real corporate conspiracy.

And why all this hostility, with quotes from the forum's rules and insinuations of trolling? This is a serious topic.

The safest (and most inconvenient) solution remains to unplug the power cord after turning off the computer and disconnecting the network cable before using the micro$oft OS.

Just like other said, when I want to disable Internet but keep LAN I change to static IP and remove gateway. But you can disable connection or network device if you don't need network at all.

Not really.

ME / PSP was created to do a legitimate activity, but the creators have a difficult time understanding that it's not actually possible to assure the security of such a secure enclave.

Simply because a thing *can* be used maluciously does not mean it was created with malice in mind.

If you are a government spook where the theoretical attack surface is an unreasonable risk, Intel and AMD both sell special processors that dont have the secure enclave. You dont have to be a spook to buy them either, you just need to know the SKU for them, and be willing to pay extra.

The real problem comes from software makers believing certain things can guarantee a revinue stream through artificial shaping of public consumption habits. Usually through artificial barriers to entry. This is ancillary to the existence or proper use of things like ME / PSP. The correct place to address this is through angry letters to congressmen, or through the voting booth, depending. Not complaints on sites without a real means to affect such public protections.

My quip was that malicious misuse of the ME / PSP can be overtly intercepted, and control asserted, by the system's primary user using an efi shim, which loads first in the boot process. Once the user owns it, the program in the enclave can actively resist further intrusion.

In other words, it's a back door you can install a bouncer in.

Even if you suspect the enclave is doing silliness, it's not magical. In order to exfiltrate data it needs to know things about your network, which it cannot easily find out without being told, and even then, is at the mercy of the router doing its job. In other words, configuring the router to blackhole something, will still blackhole something.

Is it *annoying* that Intel and AMD still want to play makebelieve about the security of the ME / PSP? Yes.

Is it the end of the world that it's there and could be abused?

No. If anything, the Secure Enclave is very useful if you are able to take ownership of it.

(More accurately: there are projects that can nuke most functionality of the ME, like me_cleaner, and some uefi firmwares allow disabling of the ME, such as Coreboot. For circumstances where that's not desirable, it's possible to put the system into 'High Assurance Platform' (HAP) mode with a software exploit, which can be done with an EFI shim. In HAP mode, most of the ME is shut off. Recently, some hacking groups have demonstrated persistent code exploits that can live in the ME. The same exploits attackers use rapidly become useful tools to gain access by whitehat security people, to act like said 'bouncer'. )

Don't forget to configure or disable IPv6.
Empty gateway trick should also work for IPv6.

wierd_w wrote on Today, 16:21:

Blackhole microsoft's servers with the HOSTS file?

A bit ghetto, but 'maybe'?

HOSTS file doesn't quite work on Windows 10 (not sure about W8). Reason why is because you can no longer disable DNS service on W10 like you can on Win7 and XP. With DNS service running, everything goes right past the HOSTS file.
Now, early builds of W10 (from 2017 and earlier IIRC) did allow you to turn off the DNS service. But once you update, it gets re-enabled and grayed out for the user.
So HOSTS file on PC does not work.

Now in router, that could be a different story.

Kerr Avon wrote on Today, 16:14:

I've kept Windows 10 on it too, for Windows only programs but only for offline use because of the lack of future Windows security updates.

I really don't get how that fearmongering spreads. Seen people on here panic exactly the same way about Windows XP and 7.
oh noes, must disconnect these old systems from the internet immediately, or otherwise skynet will take over!
Sorry, but it doesn't work like that... well, at least not if you are an average user, with PC(s) sitting behind an average router with an average built-in firewall enabled. Now, if you do direct-connect your PCs to the internet (like was done back in the late 90's / early 2000's before people started using home routers and before Windows offered a software firewall), then sure, bad things could happen to your PC pretty quickly. But honestly, I wouldn't do that even to a fully patched and up-to-date OS.

ott wrote on Today, 20:48:

Don't forget to configure or disable IPv6.
Empty gateway trick should also work for IPv6.

+1

momaka wrote on 23 minutes ago:

HOSTS file doesn't quite work on Windows 10 (not sure about W8). Reason why is because you can no longer disable DNS service on W10 like you can on Win7 and XP. With DNS service running, everything goes right past the HOSTS file.

That's not true.

momaka wrote on 23 minutes ago:

I really don't get how that fearmongering spreads. Seen people on here panic exactly the same way about Windows XP and 7.

It spreads exactly in threads such as this one.

weedeewee wrote on Today, 19:05:

Mine still is, Disable the NIC in windows device manager. and do the same for the WIFI adapter if there is any available in windows. not entering a password is not the way.

I don't subscribe to conspiracy theories either, but I've seen manually disabled NICs enabled randomly upon boot, so if one really wants to achieve a disconnect by software means (never mind the reason), disabling the NIC does not provide a 100% guarantee. Combined with other solutions (no gateway, static IP, router block...) - it's good.