As @IainO says the current streamers meet the current uk gov cyber hygiene standards… so although not risk free, it will be very low risk… compared to the things below…
The key thing is to be aware phishing or vishing scams… those are some of the biggest threats for regular consumers… unless you are specifically targeted because you are very high wealth, or prominent position in society for example, you are unlikely to be targeted and have malevolent attacks against you online.
However that doesn’t rule out opportunistic attacks against basic vulnerabilities, so simple things like keeping firmware updated on applications and operating systems, not using DMZs or pinholes unless you really know what you are doing, and leave the firewall running on your ISP router to only allow outbound connections (which is normally default), only running certified digitally signed software, change all default passwords on network connected devices, not running scripts or executables from email, again be wary of phishing and clicking on any link in an email, ensure web sites that require interaction of any sort are secure and are certified… your browser will advise if not, and never give passwords or sensitive data or if asked private details online or over the phone. This will stop nuisance and opportunistic attacks.
The one thing that any cyber professional will tell you is that can’t entirely be risk free from being compromised … and therefore think about what would happen if your computers are compromised… can you recover? Do you have backup, and secure information offline. For sensitive or financial services that require authentication always use wherever possible multi factor authentication. Encrypt sensitive info if held on a computer and keep the key separate… all encryption can be eventually cracked, but the stronger it is the longer and more cost it takes to do it… so will likely be done only if there is a known benefit in doing so.
I always have Speedily VPN running on all our computers and devices. We have Speedily set to encrypt all data to and from each device. So really, the only data anyone could get will be encrypted and useless.
Plus, of course, all the safety measures that Simon mentions above.
Hi, yes it doesn’t quite work like that. A VPN will run from a specific device like broadband router or certain computer/devices. On a broadband router it will encrypt a tunnel to a remote end point, on a specific VPN enabled device like an iPhone, it will create a tunnel from that specific device to a remote endpoint.
Most if not all streamer doesn’t support a VPN itself.
But VPNs and encryption aren’t the same thing. Any web device, such as a streamer that support HTTPS… which most services use now, uses TLS as the network transport layer encryption. So the payload is encrypted and a key is established between your device and the server / CDN which helps prevent somebody intercepting and/or eavesdropping or copying the content. HTTPS is ubiquitous now. Therefore most web flows over the internet are today encrypted. This has nothing to do with VPNs.
You’re talking about protecting “from the Internet”. I think the biggest advantage of isolating those devices from your personal ones is protecting your personal devices from them. (once they’re compromised)
It works for me.
I’m not familiar with the UK gov standards, but what I’ve observed over the past few years: No small (security) updates, only big feature updates every 6 months or even less often. That makes me definitely want to isolate them. I struggle to believe there hasn’t been any vulnerability in any library they use in the past 5 years or so. Or that those that did just always happened to right coincide with a big feature release.
Its actually fairly easy to setup and control all this in unifi. So i have several wifi networks broadcast - the main, the IOT, the guest and in my case work which really just a second guest network where I can configure access to a printer. Ports can be configured to use any particular vlan. And you typically setup your firewall to drop all vlan to vlan access unless you specifically override eg for a dns sinkhole.
Once things are set up in a VPN is running in the background, you don’t even notice it at all. You don’t even notice any of the other safety precautions that you should initially take. And I don’t use a tin foil hat, I use an aluminum pasta strainer as they’re just more comfortable and they look a bit better.
But my VPN specifically says and goes into great detail regarding how much they encrypt the data transfer. I can’t imagine speedify VPN would bother with this if it just didn’t do any encrypting of data. Possibly Simon, you could take a second and just Google Speedify data encryption and let me know your thoughts. I’d be happy to do that and post it, but I may not post what you require and it may break the rules here.
At my end here, I will ask them some questions regarding this through my account with them and post back.
In the scenario where your UPnP server (or Roon for example) is running on a seperate computer to your NAS where your music is installed then you will need to specifying the network path to your NAS in the server software.
This is typically a SMB connection and you have to specify a username and password. What I am suggesting is that whatever username is specified for access to the music files make sure that user is read-only to the NAS share
It’s not read-only by default it’s whatever you set your user on the NAS that allows access to your music.
As an aside…
I also get some comfort knowing that whatever Roon does to metadata it can’t actually change anything in relation to the metadata stored in the files when I ripped the CD
I guess it will very much depend on usage. Yesterday was a quiet day in the household with 90gigs downloaded. That would just be paid all day long through a VPN no matter how fast it is. Plus with gaming going on the latency would get me shot.
But if your requirements are basic then fair enough.
On a related note, with almost all website traffic on HTTPS and email, and whatsapp encrypted, etc I am not sure whats left thats not encrypted?
I’ve no experience of running the server directly on the NAS but it might be worth looking into to what sort of permissions the server software has to the data stored on the NAS and where possible restricting it to a suitable level.
I use Emby on my NAS as a media server (photos, video, audio). It’s access to the media shares is via an internal account on the NAS. Users need an account with the Emby server to access content. So I think that covers it.
Careful of the marketing…
A vpn is a usually encrypted tunnel. Normal web https is encrypted pay loads. The encryption is usually the same in both for payloads, industry standard AES256.
The only benefit a VPN gives is that it hides your source address to destinations at the other end end of the tunnel, and if the tunnel is encrypted the source and destination addresses in the packet will be unencrypted . However the payload on most modern web communication is already encrypted. An encrypted vpn will encrypt old style unencrypted traffic and unencrypted non web traffic, like unencrypted mail.
If you want really secure tunnels, you need to use an onion VPN. This is slower but hard to trace… and probably not sensible to talk about it here.
Edit. Looked at Speedify … it uses industry standard AES256, like TLS1.2 can do.
Another Ubiquiti UniFi user with firewall and rules setup.
I use 3 VLANs. The main one that contains all music, home pcs etc, one for IoT devices and a third for my wife’s work computer that required a specific network setup.
Network rules preventing IoT from accessing the other VLANs are in place. Same for the work VLAN…. interestingly, it’s that network and not the IoT one that has been caught trying to access specific IP addresses other VLANs which it had no need to do.
Yeah, that makes sense. I’m sure we’re quite safe these days for the most part. Like Simon said, we’re not at-risk users.
You’re right about the speed. I have 1 gig service, but with the VPN on the dnld speed is about 250 kbps which is fine for the streaming I do, but for gaming it would be hopeless. I would like to get a flying game, like a WW1 and WW2 dogfighting etc, game. But I would probably just play against the computer.
Thanks for the extra info Simon and for checking out Speedify.
Clearly, I still have a lot to learn.
Edit: I checked out TOR from Speedify after you mentioned it. Very interesting. I can see it would have its purposes. I left MI6 years ago, so I no longer need that level of anonymity.
