Path: ...!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Don Y <blockedofcourse@foo.invalid>
Newsgroups: sci.electronics.design
Subject: Re: German state gov. dicthing Windows for Linux, 30k workers
 migrating.
Date: Sun, 7 Apr 2024 12:55:40 -0700
Organization: A noiseless patient Spider
Lines: 97
Message-ID: <uuuto0$2vka9$1@dont-email.me>
References: <uuqirt$6kgh$1@solani.org>
 <jgp21jl76nk0c3064ss3pbfq5pboav93hp@4ax.com>
 <5qb31j9c2ia9a6h2fr50onqa2vp4d4bsfm@4ax.com>
 <3hf31j9d0uq5b9imcq94b495c3hclbjv79@4ax.com>
 <1qrnmxu.99joma1j6s84iN%liz@poppyrecords.invalid.invalid>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 07 Apr 2024 19:55:45 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="7b2fe21eb6b5d2d7a7be57c86afff5a8";
	logging-data="3133769"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18qLPB0CQtEXcvPkSoxUmGw"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Cancel-Lock: sha1:852Fxphr+XbpRXmxuh0ihih7BVo=
Content-Language: en-US
In-Reply-To: <1qrnmxu.99joma1j6s84iN%liz@poppyrecords.invalid.invalid>
Bytes: 6328

On 4/7/2024 9:35 AM, Liz Tuddenham wrote:
> There are two extreme approaches to security:
> 
> 1)  Put a major effort into designing a universal high-security system
> that can be sold worldwide to cover its development costs.

That assumes you want to DIRECTLY recover its development costs.
E.g., the military thinks of "recovering" costs by avoiding future
LOSSES.  The same can apply to many other industries.

> 2)  Have every small operator design their own system, which is
> reasonably secure but may not be foolproof.

Define "reasonably secure".  Given that most "small operators" lack
the technical skills to undertake such an effort, they will end up
piecing together a system using bits of a relatively few number of
"available" (free or otherwise) systems -- the security of each of
those being relatively unknown.

And, again a result of lack of knowledge, they will likely not understand
the risks that those systems bring to their applications/deployments.

Developers often treat security as window dressing so tend not to
design truly secure devices/appliances; yet want to convince themselves
that they've addressed those needs ("I put a lock on the front door to
my house so I'm now secure!")

Adversaries, OTOH, can accumulate lists of exploits and their associated
targets.  Then, fingerprint systems of interest to get a reasonably good
idea of which vulnerabilities might apply.  ("The center stile in some
windows can be removed with a single screw thereby allowing the window to
be removed from its frame and providing a person-sized opening into the
house")

All this from the comfort and (legal?) safety of some remote location.

> The first option is the one which most people and businesses take, but
> it results in a prize that every hacker feels is worth breaking because
> of the results it will yield.  Sooner or later someone will find a
> weakness and exploit it.  A major update is then required.
> 
> The second option is theoretically weaker, so very few major players
> would consider it, but it would take a lot of time and effort to hack
> into the pecularities of each individual system and simply wouldn't be
> worthwhile if it only results in a tiny yield.  Small changes to the
> system can be made easily and will involve the hacker in an inordinately
> large amount of work for small returns.

That's the fallacy.  It costs relatively little to probe (and fingerprint)
every accessible IP.  Then, throw a set of exploits *already* deemed LIKELY
to compromise such a system at it and note the results.  The process can
be automated (and likely would be given the sheer number of potential
targets!)

[A colleague always thought he was "safe" because he ran an out-facing
Solaris/SPARC host.  No, just because so few people do so doesn't mean
the known exploits for such hosts are no longer available to the hacker!]

Because there are so few truly different systems "out there", the likely
locations (in the permanent store) of any "goodies" are known or easily
identified -- because the SYSTEM has to know where these things have been
placed!

As damn near ALL of these "systems" are available to an adversary to
probe and explore "offline", he's already figured out how he's going to get
what he needs -- unlike trying to break into some proprietary system that
he's no first-hand prior experience "observing".

I.e., give me a VALID login for some "institution" and I'll have to poke
around to figure what MIGHT be accessible, then where/how.  Point me at a
Windows/Linux/OSX/BSD host and I'll already have a headstart!

With the proliferation of appliances with none/poor/laughable security,
your system is no longer the sole attack surface.  Each of these appliances
can be attacked, compromised and then used as a beachhead to poke at your
other system(s) -- as it is now "inside" your peripheral defenses!
As they all want to have their software updatable ("to keep current with the
latest security fixes" -- really?  exploits are announced every month; how
often do you push updates to your appliances??), they are all routable and
EXPECTED to access the outside world.

So, open a connection to a WAITING hacker on the outside and let him serve
as C&C while you (the appliance) are the dutiful soldier behind enemy lines...

How many devices in your home/organization are "undocumented" (i.e.,
effectively black boxes)?  Can you speak to the levels of their security?
Ever have a friend bring their phone/laptop to your home and connect to
the internet using your connection?  Are you sure his device wasn't
also probing your hosts -- without HIS knowledge?

Consider the number of "complimentary wifi" APs that most phone users
eagerly connect with.  Are they sure there have been no exploits hosted
behind those APs?

Can you enumerate all of the potential security vulnerabilities that
you *have*?  Today?  Tomorrow??