If your threat model includes nation states, you are outgunned.
A nation state can probably buy the building across the street if that's the value of hacking your system.
Of course there are almost certainly cheaper options,but that's the level of time and budget you are up against...teams of motivated and well resourced experienced professionals working against you full time.
The nation states still have a money/people/breaking+entering advantage, but the cyberattack code is now something everyone has to protect against. Also some companies are important enough that they have to protect against nation state attacks, like pipeline operators, chemical plant operators, utilities, and telecom companies:
And criminals won't hestitate to use your family to blackmail you, so all the families of people with critical jobs need to be protect also, and their friends families, and...basically everybody.
The nation state as a threat model adversary is kind of a weird abstraction. Does it include intrusive questions eg about social media asked by a border agent on your next trip abroad? Does it include getting your web browsing traffic collected up by the nine eyes spooks? Or does it mean a rich country is marshaling all its resources in a manhattan project grade effort to target you personally?
In any case as in all things defense, you assume your adversary is to some extent rational and making attacks harder (more expensive, risky, opportunity cost, etc) improves the equation for you.
We should still try our best to secure everything against nation state actors, so that people who really need it (journalists, dissidents, security researchers, etc.) can blend into the crowd with regular consumer grade devices
Or just enable "WPA-enterprise" and have it rotate keys. Then you not only have device certificates, you also have per user authentication. And if somebody missed it- rotating keys. They can change faster than they can be cracked. Then you can also layer VPNs ontop of that...
All of which are standard, well known, and proven solutions.
What does that repo offer? With 400 stars, I doubt anybody has given it serious attention.
You make it sound like you just have to flip a switch in your router's settings to enable it, but that is very far from the truth. For that to work you need a RADIUS server to handle credentials, a certificate authority if you want any useful kind of authenticity checks, a process for distributing said certificates and finally you need to configure all your access points. This is something that companies can (and should) have, but for home users it is overkill. Since this repo specifically targets home users, I suspect there is a place for this among enthusiasts who can't or don't want to go all the way on their home network.
If your threat model includes nation states, you are outgunned.
A nation state can probably buy the building across the street if that's the value of hacking your system.
Of course there are almost certainly cheaper options,but that's the level of time and budget you are up against...teams of motivated and well resourced experienced professionals working against you full time.
But then the source code of the nation states is hacked and anyone can pull off nation state style attacks:
https://en.wikipedia.org/wiki/Vault_7
The nation states still have a money/people/breaking+entering advantage, but the cyberattack code is now something everyone has to protect against. Also some companies are important enough that they have to protect against nation state attacks, like pipeline operators, chemical plant operators, utilities, and telecom companies:
https://www.nytimes.com/2024/11/22/us/politics/chinese-hack-...
And criminals won't hestitate to use your family to blackmail you, so all the families of people with critical jobs need to be protect also, and their friends families, and...basically everybody.
The nation state as a threat model adversary is kind of a weird abstraction. Does it include intrusive questions eg about social media asked by a border agent on your next trip abroad? Does it include getting your web browsing traffic collected up by the nine eyes spooks? Or does it mean a rich country is marshaling all its resources in a manhattan project grade effort to target you personally?
In any case as in all things defense, you assume your adversary is to some extent rational and making attacks harder (more expensive, risky, opportunity cost, etc) improves the equation for you.
We should still try our best to secure everything against nation state actors, so that people who really need it (journalists, dissidents, security researchers, etc.) can blend into the crowd with regular consumer grade devices
If your threat model includes states. The states being nation states or not is irrelevant.
> If your threat model includes nation states, you are outgunned.
If basic security is not implemented, you have bigger problems. (backdoors in Cisco, Fortinet, Palo Alto Networks, skipping tests - Cloudstrike)
Like I said, there are almost certainly cheaper options. It would be unprofessional for intelligence professionals to do things to hard way.
You are outgunned.
https://archive.ph/cKrq8
“Microsoft warned of a vulnerability in Windows' print spooler”
How much I hated just seeing this process. Print related tasks should never run when not needed.
WiFi security can be improved by per-device passwords, https://github.com/spr-networks/super
Or just enable "WPA-enterprise" and have it rotate keys. Then you not only have device certificates, you also have per user authentication. And if somebody missed it- rotating keys. They can change faster than they can be cracked. Then you can also layer VPNs ontop of that...
All of which are standard, well known, and proven solutions.
What does that repo offer? With 400 stars, I doubt anybody has given it serious attention.
You make it sound like you just have to flip a switch in your router's settings to enable it, but that is very far from the truth. For that to work you need a RADIUS server to handle credentials, a certificate authority if you want any useful kind of authenticity checks, a process for distributing said certificates and finally you need to configure all your access points. This is something that companies can (and should) have, but for home users it is overkill. Since this repo specifically targets home users, I suspect there is a place for this among enthusiasts who can't or don't want to go all the way on their home network.
No radius server needed, the builtin kernel module for wifi access points can do that easily.
Do you mean hostapd? I'm not aware of any builtin kernel/modules doing AP stuff.
Right, hostapd. It has the radius functionality builtin you'd need for proper wifi enterprise functionality