Monday, December 2, 2019

so, i'm starting to get a better understanding of what happened, although it's not helping me understand what happened.

i have fixed the issue with the firewall, which was an access issue in the registry related to something called internet connection sharing, which i deleted myself quite some time ago. sort of. there may be some compound issues, here.

yes, i deleted it. i didn't want it. but, it was fine.

more confusing, if i go through the event viewer, i can see that this error goes back to more or less the start of the logs, which is nov 15th - after i realized they'd been shut down and turned them back on. it seems to happen fairly regularly, on restart.

however, i know that the firewall was actually loading because:

(1) i'm sure i would have noticed it. i check running services quite frequently. i was turning the spooler off and on all week.
(2) i *did* notice it *was* on as recently as saturday night, because i turned it off to reset the connection. 
(3) there are events as recently as the 28th that indicate that the settings for the firewall have been updated, and i remember doing it. i had to load the service to change the settings.
(4) i've actually been in and out of the virtual machine a couple of times this month, including around 6:00 am sunday morning, and i'm sure that the firewall worked because the computer browser seems to rely on it. that's what tipped me off this afternoon - the browser wouldn't load, so i went to check the services and "shit".

to be clear: i transferred some files on sunday morning. so, the firewall was working sunday morning.

then, i put the machine to sleep, slept for a few hours in the morning, finished what i was doing and stopped to eat.

then it rebooted when i was eating, and went into a loop overnight, to come back up with the busted firewall.

so, it *seems* like somebody targeted the machine yesterday afternoon when i was eating. what did they do?

well, it's ambiguous. but, i'm leaning towards the answer being deeper than i'd like.

i deleted the ics weeks ago and the firewall worked just fine. for it to come up now and tell me "you need ics to connect to the firewall" is exceedingly shady, imo. 

what i did should be benign, but it should also be unnecessary. i should not have to give the firewall service access to ics in the registry, even if it's empty, and even if it's banned. so, before i connect to the internet on this machine again, i'm going to need to be certain that i didn't just open up a back door for the cops to spy on me with.

i could check the logs, right? they're off by default. they're on, now.

i'm going to stop to eat and get back to it after. and, this time, we're going into hibernation.