Andrew Holway
2017-Apr-16 13:51 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
> > There is no doubt that most security agencies have a long list of zero- >> day exploits in their toolbox - I would hazard to suggest that they >> wouldn't be doing their job if they didn't! But I seriously doubt they >> would commission exploitable code in something that is openly >> auditable. >> >> P. >> > > P., I used to think that too... indeed, I was thoroughly convinced of it. > But reality changed my mind.Indeed. I think the assertion "OSS is somehow safer because of community audit" is a logical fallacy. How would one go about "auditing" in the first place? Even if the various Intelligence agencies are not injecting vulnerabilities then they would certainly be in a strong position to discover some of the holes already existing some time before they become public. Unless you're operating an air gap network you can be damn sure that 'they' can get into your systems if they really want to.
Alice Wonder
2017-Apr-16 14:34 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On 04/16/2017 06:51 AM, Andrew Holway wrote:>> >> There is no doubt that most security agencies have a long list of zero- >>> day exploits in their toolbox - I would hazard to suggest that they >>> wouldn't be doing their job if they didn't! But I seriously doubt they >>> would commission exploitable code in something that is openly >>> auditable. >>> >>> P. >>> >> >> P., I used to think that too... indeed, I was thoroughly convinced of it. >> But reality changed my mind. > > > Indeed. I think the assertion "OSS is somehow safer because of community > audit" is a logical fallacy. How would one go about "auditing" in the first > place? Even if the various Intelligence agencies are not injecting > vulnerabilities then they would certainly be in a strong position to > discover some of the holes already existing some time before they become > public.I'm more worried about cloud services and the large number of root certificates that software trusts by default. That's where a lot of the hacks are going to happen, and AFAIK the only defense against it is DNSSEC + DANE which very few zones actually utilize.
Pete Biggs
2017-Apr-16 17:25 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
> Indeed. I think the assertion "OSS is somehow safer because of community > audit" is a logical fallacy. How would one go about "auditing" in the first > place?There are tools to audit source code for problems - OSS is safer *because* the source is available and can be audited.> Even if the various Intelligence agencies are not injecting > vulnerabilities then they would certainly be in a strong position to > discover some of the holes already existing some time before they become > public.Yes. And despite what people think, those agencies don't have super powers. They have tools to help them, and lots of resources, but nothing out of the ordinary. There is nothing that the NSA can do that can't be done by other agencies or even individuals (or enough individuals working together). There is no doubt that every single security agency in the world has a team working on discovering exploitable code in all operating systems. It's what they do. Any exploit they find that has been reported is probably because some other agency has found it as well so they want to stop them using it.> > Unless you're operating an air gap network you can be damn sure that 'they' > can get into your systems if they really want to.The only truly secure machine is one that is at the bottom of a mine shaft, turned off and dismantled. :-) P.
Always Learning
2017-Apr-17 00:36 UTC
[CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On Sun, 2017-04-16 at 18:25 +0100, Pete Biggs wrote:> Yes. And despite what people think, those agencies don't have super > powers. They have tools to help them, and lots of resources, but > nothing out of the ordinary.Untrue. They are in advance of mainstream developments. Spying has existed for thousands, of years *and* it is their job to discover and then discretely monitor what is going-on. It is never one team doing everything but many highly specialist teams dedicated to particular aspects of intelligence gathering which they do expertly, and impressively, well. All countries monitor, by all available means, what is happening in their own territory and around the world. Just because, for example, the USA and Russia are not officially loving buddies it never ever prevents their intelligence agencies covertly sharing intelligence of mutual interest. It is a incestuous world with an international web of contacts doing favours and often disregarding their own government's official political pronouncements.> There is nothing that the NSA can do that can't be done by other > agencies or even individuals (or enough individuals working together).Mmmm, you forgot physical access to targets :-) That is one of their advantages together with links into national infrastructures and seemingly endless money. They are much more audacious than "normal" people.> There is no doubt that every single security agency in the world has a > team working on discovering exploitable code in all operating systems. > It's what they do. Any exploit they find that has been reported is > probably because some other agency has found it as well so they want to > stop them using it.Not only software but hardware too. Most hardware has backdoors which may not be routinely disclosed to purchasers. The question then arises if the "official" backdoor is the only one. Difficult to detect if the logic is coded on a chip.> The only truly secure machine is one that is at the bottom of a mine > shaft, turned off and dismantled. :-)Nope, just protected from public networks like the Internet and from radio transmissions of all types. Faraday-cage types and 'high-security rooms' don't have to be buried at the bottom of mines; they exist everywhere. -- Regards, Paul. England, EU. England's place is in the European Union.
Seemingly Similar Threads
- OT: systemd Poll - So Long, and Thanks for All the fish.
- OT: systemd Poll - So Long, and Thanks for All the fish.
- OT: systemd Poll - So Long, and Thanks for All the fish.
- OT: systemd Poll - So Long, and Thanks for All the fish.
- OT: systemd Poll - So Long, and Thanks for All the fish.