back to article UPnP joins the 'just turn it off on consumer devices, already' club

Universal Plug 'n' Play, that eternal feast of the black-hat, has been identified as helping to amplify denial-of-service attacks. Researchers at Imperva looked into misbehaving UPnP implementations after spotting odd attack traffic while analysing a Simple Service Discovery Protocol (SSDP, an Internet proposal absorbed into …

  1. This post has been deleted by its author

  2. Hans 1
    Holmes

    Doctor, where have you been all this time ?

    UPnP joins the 'just turn it off on consumer devices, already' club

    A bit late to the party, it has always been in that club, even before the first implementations were tested, the whole idea of UPnP is just silly!

    1. Lee D Silver badge

      Re: Doctor, where have you been all this time ?

      Quite.

      "Allow any local network client to request any external port to be forwarded to any internal port on any internal computer, without notification or authentication".

      If you weren't turning off UPnP from day one, you're an idiot.

      P.S. No... I do NOT have any problems playing games, talking on Skype, etc. etc. etc. Never have had. And I forward precisely ZERO ports.

      P.P.S. Though, technically, you COULD have authentication, nobody has it, uses it, implements it or configures it. Most routers etc. don't even allow you to touch it... it's UPnP on or off, and that's it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Doctor, where have you been all this time ?

        If you weren't turning off UPnP from day one, you're an idiot.

        That's true for El Reg readership, who are the technically capable portion of the population. For the unwashed masses, who want to buy a wireless router and just 'plug it in and go' with the minimum of fuss, if UPnP didn't exist the alternative would be worse: Applications that needed to accept connections from the outside would probably include instructions in how to place your PC in the DMZ and disable its internal firewall.

        NAT has a lot of faults, but the security that rather unintentionally comes along for the ride wasn't one of them.

        1. Lee D Silver badge

          Re: Doctor, where have you been all this time ?

          "Applications that needed to accept connections from the outside would probably include instructions in how to place your PC in the DMZ and disable its internal firewall."

          And no such novice computer user has any programs that require that.

          That's exactly my point.

          Unless you are expecting to be a host server for something, you don't need to bypass NAT at all. Even SIP etc. will work inside NAT and that's a horrible protocol.

      2. Sloth77

        Re: Doctor, where have you been all this time ?

        "P.S. No... I do NOT have any problems playing games, talking on Skype, etc. etc. etc. Never have had. And I forward precisely ZERO ports."

        Most likely you are playing games that do not require peer-to-peer access between players. Some games, particularly Xbox games, but also PC (eg. Elite Dangerous) do require it however and won't work without either uPnP or manual port fowarding.

        As regards Skype, I suspect it falls back to a centralised server (ie. middleman) approach if it cannot establish a direct connection between users.

        1. Charles 9

          Re: Doctor, where have you been all this time ?

          That's what Skype does. P2P programs also try this but note that this is suboptimal because you have to rely on a Trent to get you hooked up, and can you trust Trent? Without UPnP or the ability to port forward, you cannot host.

          1. heyrick Silver badge

            Re: Doctor, where have you been all this time ?

            "Without UPnP or the ability to port forward, you cannot host."

            The Orange Livebox comes with UPnP enabled by default (yes, I killed that and WPS the moment I first logged into it). Your sentence, I'm wondering how many people with these routers would even understand what that means, never mind needing it. UPnP is something that should be off until it is required, not the other way around.

        2. Orv Silver badge
          Black Helicopters

          Re: Doctor, where have you been all this time ?

          Skype hasn't been peer-to-peer in years. Coincidentally, this change happened right around the time that the US government was leaning on them to make Skype conversations easier to eavesdrop on.

      3. Hans 1
        Coat

        Re: Doctor, where have you been all this time ?

        If you weren't turning off UPnP from day one, you're an idiot.

        If you weren't turning off UPnP from day one, you're a n00b.

        TFTFY

  3. Anonymous Coward
    Anonymous Coward

    another lesson

    "The lesson is simple: sysadmins need to block UPnP from Internet-facing access; and vendors making consumer-grade devices need to make that block the device default."

    And every gaming sites need to update their multi-player network advise as well. So many use upnp advise because no-one understand what an IP address or a port is ...

    1. Field Commander A9

      So many use upnp advise because no-one understand what an IP address or a port is ...

      Too right.

      For the average Joe, they bought a console to have hassle-free gaming experience.

      "Fuck that! If I wanted to fiddle with things, I'd have bought a stupid computer instead!" is the default mindset.

    2. Lee D Silver badge

      Re: another lesson

      Repeat after me:

      NOBODY NEEDS TO FORWARD PORTS UNLESS THEY ARE RUNNING A SERVER.

      1. Adam 52 Silver badge

        Re: another lesson

        I'm running lots of servers; my phone, my PlayStation, my DVR, my doorbell, my lightbulb...

        1. Lee D Silver badge

          Re: another lesson

          Your phone is not a server. If you nmap it, it likely has zero ports open unless you turn on Wifi hotspot functionality.

          Your Playstation is neither (though if it claims that peer-to-peer network requires a port forward because some games producers are cheap and won't run matchmaking servers).

          Your DVR may well be. But only if it's not capable of talking out to a central server which acts a proxy like most DVRs do for their mobile apps. Hint: Have you seen the stories for the last 5 years about how insecure DVRs are, the article on BBC News yesterday about the guy who had a DVR open to the world and didn't know, etc.? There's a reason we don't let ordinary people run servers).

          Your lightbulb - if you're stupid enough to have networked lightbulbs - I'd hope they only operate internally on your Wifi, but if not then see the DVR answer.

          Sorry, but nothing you have REQUIRES a port-forward, unless you are providing an actual service. Running a web server. Running an email server. Running a games server (not just playing games online on other people's servers). All of which require more care about how you do so than the average person can ever give them, which is why we put people behind NAT on home routers.

          And if you're doing those things, you want well-known port-number statically entered, the server running all day long, and for it to be advertised to the world. UPnP is not the answer.

          I literally turn off UPnP on all devices. Not one person has ever complained, even the couple who brought their XBox 360 to my house and connected it to play multiplayer online. Everything that "needs" port-forwarding doesn't. Unless you are trying to run a server from your home connection and thereby exposing yourself to much worse than anything UPnP can do to you anyway.

          1. bigtimehustler

            Re: another lesson

            You say it's not required, but if game developers are relying on P2P I'd say it is required if that is what you want to do, play the game. You may also be using torrent software for any number of download/upload reasons, I wouldn't say using torrent software should require you to understand networking.

            Life isn't as clear cut as, it's not required, turn it off, when in fact people are using it making it required for them.

            1. Michael Wojcik Silver badge

              Re: another lesson

              if game developers are relying on P2P I'd say it is required if that is what you want to do, play the game

              Yup. And opening the door in mid-flight is required if what you want to do is go skydiving.

              That's not really a great reason to have all planes open their doors in mid-flight by default.

              Nor is it a great reason to sell routers with UPandGetHacked enabled. Yes, quite a few people want to play multiplayer games that require it. Fine. Let them learn how to turn it on. Consider it part of the game.

              1. Charles 9

                Re: another lesson

                They refuse. They want to just JFPTFG, not go through all that network jiggery-pokery. It's like telling people they need to learn how to pump their own gas in order to drive their car in New Jersey (hint: all gas stations in New Jersey are Full Service, by law).

          2. heyrick Silver badge

            Re: another lesson

            "Sorry, but nothing you have REQUIRES a port-forward, unless you are providing an actual service."

            This. I'm running a small server on my Pi. Port forwarding set up manually. I also have an HP printer that I can print to by emailing PDFs. It has no port forwarding and there is no UPnP yet somehow it all still works...

            1. Charles 9

              Re: another lesson

              "I also have an HP printer that I can print to by emailing PDFs. It has no port forwarding and there is no UPnP yet somehow it all still works..."

              ONLY as long as the HP service behind this remains in operation. What happens when (not if) it shuts down? Then you can't e-mail your printer anymore. That's the catch. Without an open port, you have to go through an intermediary (your printer talks to HP, that's why it works), meaning you place your trust in that intermediary.

              1. heyrick Silver badge

                Re: another lesson

                "What happens when (not if) it shuts down?"

                Given the price of the printer...I go buy a different one. ;-)

                Your point about intermediaries is valid though, but then aren't so many things dependent upon some sort of third party service? (if nothing else, it means phoning home and telemetry are baked into the service)

                Oh look, on this very day... https://www.theregister.co.uk/2018/05/17/nest_outage/

          3. Adam 52 Silver badge

            Re: another lesson

            "Your phone is not a server. If you nmap it, it likely has zero ports open"

            Nope. My phone's listening on 443, 5060, 5090 and 9001.

          4. DiViDeD

            @Lee D Re: another lesson

            Whoooooosh!

      2. Anonymous Coward
        Paris Hilton

        Re: another lesson

        "NOBODY NEEDS TO FORWARD PORTS UNLESS THEY ARE RUNNING A SERVER."

        IPv6 8)

  4. Anonymous Coward
    Anonymous Coward

    As much as I would like to see UPnP blocked by default it's not going to happen. The conversation at the ISP (who supply most consumer grade routers) will go something along the lines of what costs more? Supporting users who buy something that uses UPnP or dealing with the extra traffic?

    Steps without UPnP (I may miss something here, who knows)

    Call ISP support.

    Find IP address of device. (No easy task depending on device)

    Log into router.

    Depending on router make IP address static. (I don't know what default lease time they have these days as I never use it)

    Confirm Port and type of outgoing connection required.

    Find page for forwarding.

    Enter details correctly.

    Apply forwarding.

    Hope their isn't an issue on device such as a setting or server issue stopping it connecting or allowing connection.

    Steps with UPnP.

    Plug it in.

    If it doesn't work refer customer to device manufacturer.

    ISP's could refer people to device manufacturer but lets face it they'll just tell you it's not their router and refer you back because it should have UPnP enabled.

    1. Anonymous Coward
      Anonymous Coward

      As much as I don't care if upnp is blocked by default on the internal side (it was only ever used by skype clients, and that's a product in it's death throes), no ISP has any excuse for requiring unchanged admin passwords, unsecured http access, or upnp on the internet side.

      Outgoing connections aren't what caused DOS amplification.

      1. Anonymous Coward
        Anonymous Coward

        Any device that allows you to call back home from outside the network can use upnp, e.g. security camera, media server, IoT crap etc...

        If it was no longer in use then it would most likely be removed.

  5. bombastic bob Silver badge
    Facepalm

    UPnP - insecure out of the box

    one of the worst designs in UPnP would be the ability of a client to open up a port in any firewall configured for UPnP. In other words, if NAT was (at one time) protecting a computer from being a listening port on "teh intarwebs" for command/control, guess what? UPnP makes that possible, too.

    So many levels of wrong. So many security craters. Why is it even "a feature" on routers?

    /me thinks we can blame Micro-shaft, somehow...

    icon, because, facepalm

    1. Dan 55 Silver badge
      Devil

      Re: UPnP - insecure out of the box

      Sorry, no MS involvement, this one was the unholy offspring of Cisco, Juniper, and France Telecom.

    2. Charles 9

      Re: UPnP - insecure out of the box

      WHY? Because the Internet wasn't built with Stupid Users in mind. Stupid Users who wouldn't know a port if it owned them yet expect their Internet stuff to work from Day 0.

      Look, it's either UPnP or increased Help Desk traffic. Pick your poison unless you think people should have a license to use the Internet.

      1. Anonymous Coward
        Anonymous Coward

        Re: UPnP - insecure out of the box

        ... unless you think people should have a license to use the Internet.

        Tempting, very tempting. How about a reverse walled garden approach where those without a license are locked into a small subset like only facebook and twitter or something? We could even make licensing as easy as 1, 2, 3.

        1. Log into router

        2. Ensure UPnP and WAN side logins are disabled

        3. Change the default password. Of course changing the password to something like password1 or 123456 will automatically revoke the license.

        1. John Brown (no body) Silver badge

          Re: UPnP - insecure out of the box

          "Tempting, very tempting. How about a reverse walled garden approach where those without a license are locked into a small subset like only facebook and twitter or something?"

          Obligatory car analogy

          This all reminds me a little of self-driving cars and the road network. People who can't drive are not allowed on the roads but self-driving cars might one day allow people who can't drive out there. uPNP is the self driving car of the internet "superhighway" that allows non-"drivers" out there because it takes away the complications so they don't need to learn to "drive". The downside is that uPNP doesn't put lives at risk so anyone can create their own shitty implementation with no come-back when it fails.

  6. Dan 55 Silver badge

    UPnP is bad, but...

    Discover targets on Shodan by searching for the rootDesc.xml file (Imperva found 1.3 million devices);

    ... is worse.

    If you have an open HTTP admin, anything you do is useless.

  7. Anonymous Coward
    Anonymous Coward

    What?

    "sysadmins need to block UPnP from Internet-facing access"

    Sysadmins should never allow it in the first place, if they have, they need sacking.

    Now, home boxes, that's a different matter.

  8. Mage Silver badge
    Devil

    Now, home boxes, that's a different matter.

    Why?

    It should have been nuked from orbit before release.

    The Router "feature" to have uPNP should never have existed. Let's not forget that even without the internet uPNP on a host (PC etc) is mostly a stunningly bad idea. Automatic install or connection to of something unseen somewhere else on a LAN?

    Even apart from the Internet fail, it's a far worse a design disaster than USB HID because anyone could plug something into the LAN. At least with USB the user is actually plugging in the whatever it is*

    It should NEVER have been added as a feature on ANY router.

    It should be disabled on every PC too. Along with SSDP.

    (* If using unknown USB chargers, use a cable that has no data connections. Don't plug in unknown USB things and note what messages appear on screen).

    1. Charles 9

      Re: Now, home boxes, that's a different matter.

      So what do you propose as the alternative for people who wouldn't know a port if it pwned them?

      1. Ken Hagan Gold badge

        Re: Now, home boxes, that's a different matter.

        "So what do you propose as the alternative for people who wouldn't know a port if it pwned them?"

        That's easy. You give them nothing.

        Your choice of words is appropriate. They *won't* know a port *when* it pwns them. If your game needs to allow anyone, anywhere, sight unseen, to access your network then you need a new game. People need to learn that the easy way (from us) rather than the hard way (from their bank).

        It's really no different to posting naked selfies to a secure part of their Facebook profile. People need to learn not to do that and the choice of teacher is "boring nerd" or "experience". The latter is, famously, a harsh mistress. So ... ask yourself ... are you a fool?

        1. Charles 9

          Re: Now, home boxes, that's a different matter.

          So IOW, you want people to have a license to use the Internet, even if they start complaining to the help desks, tying them up.

          1. John Brown (no body) Silver badge

            Re: Now, home boxes, that's a different matter.

            Helpdesk Jocky: Please give me your internet licence number

            Caller: I don't have one

            <click>

            1. Anonymous Coward
              Anonymous Coward

              Re: Now, home boxes, that's a different matter.

              Helpdesk Jocky: Please give me your internet licence number

              Caller: Please connect me to your supervisor before I FILE A FORMAL COMPLAINT AND SWITCH PROVIDERS!

              1. Michael Wojcik Silver badge

                Re: Now, home boxes, that's a different matter.

                Caller: Please connect me to your supervisor before I FILE A FORMAL COMPLAINT AND SWITCH PROVIDERS!

                Caller is welcome to do so. The formal complaint has no material effect, and you're already costing us more than you're worth. Ta!

                And, of course, in the US, many consumers have only one viable choice of ISP.

                1. Charles 9

                  Re: Now, home boxes, that's a different matter.

                  "Caller is welcome to do so. The formal complaint has no material effect, and you're already costing us more than you're worth. Ta!"

                  Be careful. PO'd customers tend to tell their friends. Meaning one defection may be followed by a bunch more...NOT a good thing to report to the higher-ups...

                  Remember, trust is hard to build and easy to break.

          2. Michael Wojcik Silver badge

            Re: Now, home boxes, that's a different matter.

            So IOW, you want people to have a license to use the Internet, even if they start complaining to the help desks, tying them up.

            Who else, exactly, is using this alleged ISP help desk?

            And if the help desk is "tied up", either the ISP will address that situation, or market forces will correct it (i.e. people will switch), or people will put up with it - just as they do now. I don't find Helpocalypse a persuasive argument.

        2. Dan 55 Silver badge

          Re: Now, home boxes, that's a different matter.

          Your choice of words is appropriate. They *won't* know a port *when* it pwns them. If your game needs to allow anyone, anywhere, sight unseen, to access your network then you need a new game. People need to learn that the easy way (from us) rather than the hard way (from their bank).

          Many games use P2P multiplayer. Someone somewhere's got to open a port.

      2. Michael Wojcik Silver badge

        Re: Now, home boxes, that's a different matter.

        So what do you propose as the alternative for people who wouldn't know a port if it pwned them?

        Learn or do without.

        Please stop endorsing learned helplessness. For all of human existence, people have demonstrated the capacity to learn how to use things they have good reason (including entertainment) to use.

    2. Baldrickk

      USB cables

      (* If using unknown USB chargers, use a cable that has no data connections. Don't plug in unknown USB things and note what messages appear on screen).

      So if I borrow a charger, I shouldn't be able to have it quick-charge (because detection of that is done via the data lines)

      What about a new charger from a store? do you trust that?

      At some point you either have to have a full chain of trust (like with certificates) or you have to take a leap of faith.

      Where you draw the line is the important thing. This line may change depending on who you are and what you are doing.

      1. David Nash Silver badge

        Re: USB cables

        "use a cable that has no data connections"

        And that's another thing that "normal" users have never heard of.

        I don't think I've ever seen one myself either.

        1. DiViDeD

          Re: USB cables without data connections

          I have a couple myself. Two mini usb connectors that won't connect a device. Thought they were faulty until I (accidentally) discovered they work fine for charging, and 2 micro USB, one from Jabra, the other from (of all people) Samsung, which have big friendly stickers hanging off them saying 'For Charging Only'. I've verified that by finding myself out in the bush and having to fire a WiFi hotspot up to move stuff between my phone and a notebook.

        2. heyrick Silver badge
          Meh

          Re: USB cables

          "I don't think I've ever seen one myself either."

          Try with USB battery packs. Or anything that has a USB connection for charging, not data transfer.

          Unfortunately when you have several kicking around and they look identical to normal USB cables, it is all too easy to pick up the wrong one, plug phone into computer, then wonder why the thing doesn't pop up the connection confirmation. Oh, yeah, no data... Grrrr...

        3. Michael Wojcik Silver badge

          Re: USB cables

          I don't think I've ever seen one myself either.

          I don't know why not. Best Buy sells them. Hell, my local supermarket sells them. They're right next to the other USB cables, and they say "charging only", and they're generally cheaper than the regular (data-carrying) cables. These days, they probably have some sort of security waffle on the packaging too.

  9. TrumpSlurp the Troll
    Paris Hilton

    Just for clarity

    My limited understanding of UPnP is that it is there to allow software (mainly games) to open a port on the router firewall on demand and listen for incoming calls/traffic. I can see this should work as it is better than leaving ports permanently open and in theory software inside the firewall is trusted. Obviously only to be enabled if you have software requiring this feature.

    Having UPnP open on the Internet facing side, though? Why would you? It implies that you have nothing listening on a specific port (or it would already be open) so what handles the unsolicited incoming call? Where is it routed on the internal LAN?

    1. Field Commander A9

      Having UPnP open on the Internet facing side

      No, it not that UPnP itself that is opened on the Internet facing side. It's that some router default to have their web admin interface accessible on the Internet facing side, so they can be easily hacked.

      THEN there's the problem that many routers don't properly sanitize UPnP rules which made the reflected attack possible.

      1. TrumpSlurp the Troll
        Paris Hilton

        Re: Having UPnP open on the Internet facing side

        So is the significance of UPnP that it can be configured without needing user ID and password?

        Or is the assumption that the router is open to the world with manufacturer's defaults and UPnP is a convenient way to open random port numbers when tromboning an attack through the router?

        Because if you have full access to the router you could probably configure it as a proxy and/or a VPN.

        1. Orv Silver badge

          Re: Having UPnP open on the Internet facing side

          The basic problem, IMHO, is routers that aren't validating that the IP address they're being configured to forward to is actually an internal IP address. It's the same basic idea as the old FTP "PORT" command trick.

          There's also no reason to let anything on the Internet side of the connection configure UPnP settings.

          This isn't a UPnP problem, it's a stupid router design problem.

  10. TrumpSlurp the Troll
    Trollface

    Scrabble, anyone?

    "The company's Avishay Zawoznik, Johnathan Azaria, and Igal Zeifman".

    Wonderful on the Scrabble board, but aren't there any security researchers called Joe Blogs or Bill Smith any more?

    1. Ken Hagan Gold badge

      Re: Scrabble, anyone?

      I expect so, but as humanity starts firing on all cylinders, rather than just guys like me, the statistics make it far more likely that three pulled out of the bag won't be called Joe Bloggs.

      Be thankful that their names could be adequately rendered using an accent-free Latin script.

  11. This post has been deleted by its author

  12. petethebloke

    Thanks GRC

    www.grc.com recommended turning this off about a hundred years ago. I didn't know what it was at the time, but I believed them.

    1. Lee D Silver badge

      Re: Thanks GRC

      That was more about a service running exposed to the Internet by default, back in the days of XP/98 when people used to connect via modems and be their only defence against network-borne packets

      Doesn't mean that UPnP isn't an atrocious idea. But GRC was more concerned with "why is there a new, by-default, always-on, Internet exposed service on all Windows PC's" and would let you turn it off via software. Nothing to do with UPnP on routers, networks in general etc.

      1. Dan 55 Silver badge

        Re: Thanks GRC

        GRC do have a UPnP vulnerability test so you can test if it's exposed to the Internet. That appeared about five years ago.

  13. Anonymous Coward
    Anonymous Coward

    I do hope this news does not lead to Virgin Media returning to sending out letters to subscribers with "our system has detected you may have an SSDP vulnerability" warnings.

    Those were so vague and scaremongering they appeared to be nothing more than a scam intended to drive frightened people to their paid for customer support service.

  14. Anonymous Coward
    Anonymous Coward

    Knocking on my firewall door

    For years Netbui, uPnP and the rest have been knocking on my firewall door. Windows implemented them by default. Luckily then I had Kerio/Tiny Personal Fire Wall. TPF in concert with Windows firewall and could set the ASK for each rule. Thanks Kerio.

    Many routers have ambiguous settings and the user is not quite sure what if anything is blocked from exiting or entering the router. So it's always important to set up full set of rules that would be effective regardless of which setting the Firewall had, Using full addresses/ranges for the likes of DNS and Email if you at all can. Every device or machine, inside and out.

    The Firewall has rules for everything that moves thru the device. Everything !

    A Hardened Firewall is one of the most important security building blocks. a real MUST.

    1. Jason Bloomberg Silver badge
      Pint

      Re: Knocking on my firewall door

      Luckily then I had Kerio/Tiny Personal Fire Wall.

      +1 and 'beers all round' for Kerio.

    2. Charles 9

      Re: Knocking on my firewall door

      "A Hardened Firewall is one of the most important security building blocks. a real MUST."

      But what about the Stupid Users who STILL demand their stuff be able to talk on the Internet, including their gaming consoles (that need ports if they're ever going to HOST games and be real gamers, etc.)? Unless you're saying people should require a license to use the Internet, we're going to need a solution for the Stupid Users.

      1. David Nash Silver badge

        Re: Knocking on my firewall door

        "But what about the Stupid Users "

        Help desk/paid-for advice, etc.

        Same as for all kinds of things. You want two things to work together, you need someone who knows how to make that possible.

        1. Charles 9

          Re: Knocking on my firewall door

          "Help desk/paid-for advice, etc."

          But even help desks get tired of the same requests over and over. Plus they cost MONEY which many people aren't willing to pay, thus why tolled help desk numbers gave way to toll-free ones.

          1. heyrick Silver badge

            Re: Knocking on my firewall door

            "But even help desks get tired of the same requests over and over."

            And?

            Some days I get tired of doing the same stuff over and over, but it's my job, it's what I'm paid to do.

            Perhaps if the help desk keeps getting the same questions (from different users, I should add for clarity), it implies that the first line of assistance (the online help) is inadequate, confusing, or difficult to find?

      2. Ken Hagan Gold badge

        Re: Knocking on my firewall door

        "Unless you're saying people should require a license to use the Internet, we're going to need a solution for the Stupid Users."

        Well actually, society does deal with "stupid users" in other fields (*) by defaulting to "no" and sometimes even requiring a licence before you can say "yes" even if you know. Quite where to draw the line is always controversial, but the principle that stupid honest people shouldn't be allowed to suffer at the hands of crooked clever people is very widely accepted.

        (* things like driving, open-heart surgery, sex, drugs, alcohol.)

        1. Mike 125

          Re: Knocking on my firewall door

          >>the principle that stupid honest people shouldn't be allowed to suffer at the hands of crooked clever people is very widely accepted.

          Yea, except for when it actually matters:

          "No. Do not coat my apartment block in super-flammable cladding."

          "No. Do not blindly accept my exceptional bank transfer request, without at least a second factor authentication and authorisation."

          I could go on...

    3. Roland6 Silver badge

      Re: Knocking on my firewall door

      >Luckily then I had Kerio/Tiny Personal Fire Wall.

      ?

      The most recent entry on FileHippo for the Sunbelt (previously Kerio PF) is 2008, but the website is defunct.

      As for Tiny PF (not to be confused with TinyWall)...

      And I thought running Agnitum Outpost PFW, last updated December 2016 was risky...

  15. Nick Sticks

    Elite Dangerous is best played with Port Forwarding

    It will work for some people without UPnP and Port Forwarding but there are less problems when you do.

    "Port forwarding is commonly used to resolve problems encountered when connecting to the Frontier Servers, or to other players. It is especially important to enable port forwarding if UPnP is disabled or unsupported by your router."

    https://support.frontier.co.uk/kb/faq.php?id=344

    1. Charles 9

      Re: Elite Dangerous is best played with Port Forwarding

      Put it this way. Without a Trent, there's no way for two peers to connect to each other if neither of them has an open port somewhere. And even then, do you want to trust that Trent who could really be Mallory...or Gene?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like