You're currently viewing posts by Pinsider peely.
Click here to go back to viewing the entire thread.
Quoted from chickenscratch:I’ll reply…
NAT slipstreaming requires the user to visit a website; I’ll let that bake in, from a pinball machine
Sort of. The user within the NAT'd internal network, will click on a link - not from a pinball machine. This will allow ANY device in that - probably home and potentially a pinball machine - exposed externally. Slipstreaming 2.0
I'd hope that have some solid pen testing for this app anyway and for their broader hosted infrastructure. 
Quoted from chickenscratch:Ah yes, good point. But I would be shocked if a pinball machine would have any open ports at all; it doesn’t need to listen for anything. I’d expect all communication to originate from the pin, making the device invisible on a LAN. Could be wrong, but I’m not sure why they’d have it any other way.
Yes you're wrong.
All IoT devices have a port, that's part of the TCP stack and allows a client to be able to connect to it.
Let's hope stern don't use the easy way out and connect via port 80 or the biggest risk for iot devices is a brute force of ssh. I'm sure stern wouldn't use passwd Godzilla 
Quoted from chickenscratch:OMG… I may be done here. So many smart sounding people that are just incorrect. What does this even mean? There are 65K some ports, doesn’t mean any need to be open. If you’re a client, like a pin, you don’t need any god damned open port. When it initiates a connection to Stern, a dynamic port will open and be mapped in a translation table, but that’s not an “open port” that’s listening for any incoming connection. This is 101 stuff boys. The pin is not a server, it doesn’t need to first respond to a request by another client. There need not be any open ports actively listening for a connection.
Why couldn't the pin be an IoT too? It's possible unless you have access to the devs and/or SA's? Do you? Have you seen the architecture?
Sure, it needs to go out to stern, so what you say is correct. 101 as you say.
I may be done here too - to much like work where the BAs dont give you all the requirements...
Quoted from chickenscratch:Again, the pin can’t be the vector for a SSv2 attack as you’re not browsing the web with your pin. So it would be another device on your network that would expose your internal hosts. And if that’s the case, that’s not the pins fault (and you have much larger problems), nor would the pin be any more exposed if it has no listening ports, as it shouldn’t have any.
lots of assumptions there mr cio.
Quoted from chickenscratch:I mean… it’s literally facts
But, I’m open to learning, what were the assumptions there and where can I learn?
OK ill try, can't guarantee everything in life
you cant categorically tell me there will be no web service or other admin service available such as ssh in this software produced by Stern unless you have access to a dev on the team or other tech person. You seem to know alot about the business requirements for the stern project team. Do you know someone on the team or something? otherwise you're simply making things up..like me
To be compromised, It needs a victim in the internal network on a PC that can fire off the malicious javascript to create a new port forwarding rule for ALL clients on that vlan - including the pin. Cant be initiated by the pin..yes
Again we're just hypothesizing what's under the hood. Yes agree re trumpster
Quoted from chickenscratch:This really isn’t at you peely… I’m just done… so
Nah, I’m the not making things up lmao
SSH.. ok cool; Stern dumbly leaves a an open SSH port open (OMFG why lol) that… they absolutely can’t connect to cause you the customer never logged into your router and port forwarded it from the WAN.
So you have LAN attacks left - ok.
Slipsream 2.0 - ok
That’s fair game, that’s an argument, but A LOT of assumptions, mainly Stern leaving 22 open.
This is so non-sensical… not peely at times but all the “IT hats” coming from woodworks. I’m done. Especially because none of y’all can understand how to properly debate, and keep throwing personal attacks in. Here… here’s my freebie infographic.
I should have stopped before, and now I’m finally done arguing IT on a fucking pinball forum - god, am I a sucker for trolls
[quoted image]
Cool your jets bud, all good, I've been in IT for 25 years too and like to debate nerdy things, that's how you learn, right? I'm a little closer to the command line than you however...❤
Quoted from Darscot:What is going on in this thread?! How hard are you guys hitting the devils lettuce to be this paranoid about a pin being online.
I'm a self employed consultant to large corporates like banks and big retailers. I approach most of my solutions with security in mind, and also have an IT security background and rely on smart peeps to contribute to my solution. Dealing with some iot devices that measure temperature in stores fridges atm. Parnaoid, yes
You're currently viewing posts by Pinsider peely.
Click here to go back to viewing the entire thread.
Wanna join the discussion? Please sign in to reply to this topic.
Great to see you're enjoying Pinside! Did you know Pinside is able to run without any 3rd-party banners or ads, thanks to the support from our visitors? Please consider a donation to Pinside and get anext to your username to show for it! Or better yet, subscribe to Pinside+!
This page was printed from https://pinside.com/pinball/forum/topic/all-access-connected-stern-monthly-fee-for-some-online-features-?tu=peely and we tried optimising it for printing. Some page elements may have been deliberately hidden.
Scan the QR code on the left to jump to the URL this document was printed from.
Melbourne