[190399] in North American Network Operators' Group
RE: IPv6 deployment excuses
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sat Jul 2 12:41:55 2016
X-Original-To: nanog@nanog.org
Date: Sat, 02 Jul 2016 10:41:48 -0600
In-Reply-To: <CA+HzidT=716bnS9LSoZW-80KYSydhj04N7ZCSz7+asp9WCJLAA@mail.gmail.com>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Yes, the default is "on". An exception is added for EVERY SINGLE PIECE of =
Microsoft Crapware, whether it is needed or not (and in every single case, =
it is not). And if you turn those exceptions "off", then they are turned b=
ack on by Microsoft and their NSA partners for you, without your permission=
, whenever automatic updates run (and also at other times that I have not d=
etermined the trigger). You must continuously check that the firewall (alt=
hough ON) remains configured as you configured it, or if Microsoft (and the=
ir NSA partners) have changed the configuration without your permission.
Of course, most people do not bother configuring the firewall and do not wo=
nder why every piece of Crapware has in incoming exception, and do not both=
er to turn those off (including some on this list apparently). So they wil=
l never notice these nefarious doings which have been a hotbed of discussio=
n on the Internet for many years.
And this is on the latest distribution of Windows 10 including the upcoming=
anniversary edition and has been that way since at least the first version=
of Windows 8.
Whether or not Windows 7 also behaves the same way I do not know because I =
never ran it.
> -----Original Message-----
> From: Spencer Ryan [mailto:sryan@arbor.net]
> Sent: Saturday, 2 July, 2016 10:08
> To: Keith Medcalf
> Cc: North American Network Operators' Group
> Subject: RE: IPv6 deployment excuses
>
> Windows 8 and 10 with the most recent service packs default the firewall
> to on with very few inbound exemptions.
>
>
> On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf@dessus.com> wrote:
>
>
>
> > There is no difference between IPv4 and IPv6 when it comes to
> > firewalls and reachability. It is worth noting that hosts which
> > support IPv6 are typically a lot more secure than older IPv4-only
> > hosts. As an example every version of Windows that ships with IPv6
> > support also ships with the firewall turned on by default.
>
> Just because the firewall is turned on does not mean that it is
> configured properly.
>
> Every version of Windows that ships with IPv6 support also ships
> with the Firewall configured in such a fashion that you may as well have
> it turned off.
>
> This is especially true in Windows 8 and later where the firewall is
> reconfigured without your permission by Microsoft every time you install
> any update whatsoever back to the "totally insecure" default state -- and
> there is absolutely no way to fix this other than to check, every single
> minute, that the firewall is still configured as you configured it, and
> not as Microsoft (and their NSA partners) choose to configure it.
>
> All versions of Windows 8 and later whether using IPv4 or IPv6 are
> completely unsuitable for use on a network attached to the Internet by an=
y
> means (whether using NAT or not) that does not include an external (to
> Windows) -- ie, in network -- statefull firewall over which Windows,
> Microsoft, (and their NSA partners) have no automatic means of control.
> If you allow UPnP control of the external statefull firewall from Windows
> version 8 or later, you may as well not bother having any firewall at all
> because it is not under your control.
>
>
>
>
>
