TIL about this open source tool that helps you see what connections app make and block them if they're sus.
https://github.com/evilsocket/opensnitch?tab=readme-ov-file#key-features
@mauve Even with such tool, you have absolutely no warranty that a covert stack, operating in supervisor, or directly within the south bridge SoC handling many peripherals, including the default ethernet controller, with an hidden Linux RTOS, is not sending or receiving stuff without the main CPU / OS knowledge. Still it's better than nothing.
@stman @mauve @theruran @50htz @vidak @forthy42 nodds in agreement
Obviously one could then use a 2nd machine that is "airgapped" and put a "Throwing Star" LAN tap in between, which will degrade Ethernet to 100BaseTX & provide said monitoring system with physically wired, read-only wiring to hookup to two NIC ports for promiscious mode capture.
That setup (or any transparent LAN tap for that matter) is literally undetectable (unless one explicitly forces a speed beyond 100Mbit/s, but that would not stop a professional, "active LAN tap" (like a "mirror port" on a managed switch)...
OFC that is also having the same security issue, but this setup has been used for #auditing and #ReverseEngineering protocols in a #CleanroomEngineering setup.
Lol the default arch linux package doesn't run because of some sort of protobuf python bindings mismatch 🤷