I’ve trash talked this website before in my head, but maybe I was approaching it as a professional organization instead of more of a blog run by a small group of people.
They aren’t just doing ads dude, it’s a for-profit propaganda machine.
But seriously, Mullvad would do well to switch out their email provider to something that’s not Google. Even though email is inherently unsafe, email through Google is pretty much is unsafe as it can get.
I went to ask nicely for help from their support department and got a development build for one of their routers. Not only was it an ancient version of OpenWRT with the myriad of unpatched vulnerabilities, but it had absolutely dumb/weird configurations like the Wi-Fi password being a user account password exposed to a patched up SSH daemon with shell /bin/false. Just a whole lot of why and an obvious lack of care put into the software.
Their devices function… Most of the time. That’s about all that’s redeeming.
…because why would you go to all the trouble to pay Mullvad (presumably to keep your sensitive information away from big tech) to then give it to google in the form of an e-mail should you reach out to Mullvad for support? Google would then suck up any and all data that comes via their gmail service.
It’s because of the difference in credentials. One is a website positing as having both privacy and cryptocurrency investment advice services, and the other is a random Lemur
That’s really odd. For what it’s worth though, the company I work for does firmware updates over a Tor hidden service for customer privacy. We don’t send any data though (as that would defeat the purpose entirely), just poll for updates then download and install if there are any.
It’s just an NTP pool. The device is trying to update it’s time. Likely it made many other requests to other servers when this one didn’t work.
Maintaining up to date lists of anything is a game of whack a mole, so you’re always going to get weird results.
If you’re actually unsure, pcap the traffic on your pfsense box and see for yourself. NTP is an unencrypted protocol, so tshark or Wireshark will have no problem telling you all about it.
That said, I’d still agree with the other poster about local integration with home assistant and just block that sucker from the Internet.
Agreed. To add to this because the traffic is being blocked it keeps retrying so it’s inflating the traffic size. I have about 14 tplink WiFi switches on a vlan and my pfsense rule for NTP is less than 6 megabytes. OP is conflating legitimate NTP traffic with Tor.
Fwiw the TP link bulbs usually have a local API that Home Assistant has an integration for. You can use that and block their internet access - unless they’ve removed that feature. I only used one of these briefly because someone gave it to me. Usually just use cheap ZigBee bulbs. I would throw that one out though as someone else said it’s likely been compromised already…
The zigbee bulbs I’ve had the best luck with are Innr, although they are kind of pricy. Ikea bulbs are good for the price, but every one I have, has very loud coil whine when off. I had some on bedside stands and had to move them to other rooms. Sengled are nice when they work, I’ve had issues with them dropping off my network.
Both Ikea and Innr are also repeaters, Sengled does not do repeaters in their bulbs. Neither Ikea or Innr are exactly cheap, but they’ve been the most solid for me.
It’s been hacked, the light bulb is likely part of some botnet or under an attacker’s control directly. Which is why it’s sending that much data continuously. IoT/smart devices don’t send a lot of data in this sort of volume as most of the time they’re idle and maybe send a heartbeat or status update every once in a while to prove they’re alive.
This is what is called an indicator of compromise or IoC, it’s some behavior or pattern that can be used to determine what is happening or who is the one doing the attacking.
Likely OP would need to do some analysis to be able to get attribution unless it’s a very well known botnet actor in which case attribution is fairly straightforward.
You’re aware that you can send whatever traffic you want over any port right? Using 123/udp for NTP is just convention. A light bulb that is updating its time over Tor is suspect. TP-Link would have their own infrastructure or use public pools to update the device’s time.
privacy
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.