Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Bug

Former NSA Computer Scientist: Patching Vulnerabilities Gives False Sense of Security (itwire.com) 112

A former NSA computer scientist is disgusted with the current state of security practices, writes ITWire. Slashdot reader samuel_the_fool shares their report: Patching of vulnerabilities is the security industry's equivalent of thoughts and prayers, a prominent American security expert has said during a debate on the topic "Patching is useless" at a recent online conference named Hack At The Harbor. Dave Aitel, 46, a former NSA computer scientist who ran his own security shop, Immunity, for many years, said the remedies proposed by security vendors and big technology companies had served to lull people into a false sense of security all these years and ensure that all the old problems still remained.... Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others, rather than being continuously patched....

Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather Windows machines.

Aitel called for vulnerability management, advocating the government as the best entity to handle this. His argument was that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.

This discussion has been archived. No new comments can be posted.

Former NSA Computer Scientist: Patching Vulnerabilities Gives False Sense of Security

Comments Filter:
  • Great plan (Score:4, Insightful)

    by GrumpySteen ( 1250194 ) on Sunday April 24, 2022 @05:34PM (#62474868)

    "Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others" ... which will also be vulnerable.

    • Comment removed based on user account deletion
      • Re:Great plan (Score:5, Interesting)

        by Arethan ( 223197 ) on Sunday April 24, 2022 @06:02PM (#62474930) Journal

        I think he's alluding to the point that any potentially compromised machine could have been also been infected with a more permanent (and probably remotely accessible) exploit during the time it was vulnerable, and you'd never be the wiser. Simply patching the known vulnerability does nothing to resolve the other malware that was installed onto it.

        Throwing out any device that had a known vulnerability in the past does seem a bit extreme, but this is a balance against the sensitivity of its operating purpose. If you're a government no-such-agency full of spooks, then you're probably a bit more concerned about how you can trust your devices than joe normal.

        • Comment removed based on user account deletion
        • I think he's alluding to the point that any potentially compromised machine could have been also been infected with a more permanent (and probably remotely accessible) exploit during the time it was vulnerable, and you'd never be the wiser.

          Good point, but given his subsequent comment on the Linux kernel and what looks like his assumption that anyone can just put code into it I don't credit him with that kind of big-brain forethought which you applied to his comment.

          "Security" isn't a thing. It's a game of risk where risk is the likelihood and consequence of an event happening. Specifically here for your comment there a concept of concurrent events, the likelihood of a known vulnerability existing combined with the likelihood that it had alrea

        • > I think he's alluding to the point that any potentially compromised machine could have been also been infected with a more permanent (and probably remotely accessible) exploit during the time it was vulnerable

          This actually happened at the place I work for. We detected an intrusion way too late. It subtly modified existing binaries to inject a payload. It was insane. (yes signed binaries etc would mitigate... or not)

          At that point "no binaries are trusted." Every executable everywhere was hunted down and

        • by AmiMoJo ( 196126 )

          Sounds like a great way to infiltrate an organisation. Maybe you only have a low level exploit that can't get you very far, but you know that if you use it they will throw the hardware away and replace it. Then you have two opportunities to compromise them - you can sell them pre-0wned hardware with firmware level undetectable malware, or you can go dumpster diving for any data they forgot to securely erase.

          The Snowden leaks showed that the NSA was intercepting hardware during shipping to install firmware b

      • Re:Great plan (Score:5, Interesting)

        by ctilsie242 ( 4841247 ) on Sunday April 24, 2022 @08:59PM (#62475304)

        Times have changed, from when devices had a ROM burned in, and sometimes firmware was an update to it, where it would have a 1.0 firmware in ROM, then be able to upgrade to newer stuff. Now, many devices have firmware, and once updated, it is next to impossible to fix if the update is compromised, even with access to the JTAG points (which are often destroyed via an eFuse after the initial firmware is loaded.)

        Things like HDD controllers, video cards, keyboard controllers, mice... almost everything can be compromised in such a manner, and the only real fix is replacement.

        Of course, the solution would be a way to put the item into a known state that it can be updated to a known good firmware option (like a burned into ROM bootloader or DFU restore for iDevices)... but most companies are uninterested in anything that might cut into their profit margins without the government stepping in, so the only feasible thing is rip and replace as of now.

        • by Z00L00K ( 682162 )

          The only sensible method to use in order to limit the risks is to break down the network into smaller segments that can be isolated so that you have one segment for printers, one or more for sensors, yet one more for network management, one or more for the servers etc.

          Also make sure that the network management is done locally and not from a remote site managing a huge number of sites since what would happen if the network management hub is compromised?

          More work to manage the net, but what is the cost when t

        • by AmiMoJo ( 196126 )

          DFU is no solution. The DFU interface is itself firmware, and can compromise any firmware image you give it.

          Once I wrote a special DFU firmware that did exactly that. We had a product that needed two hardware versions due to shortages of components, and it patched the firmware as it was being loaded to suit which one it was running on.

    • Following that advice then we should just shut the internet off, turn out the lights and all go home
      • Well the argument must eventually reach a point about how unconstitutional it is to force people to secure their own computer software.... Just thinking out loud....just for the sake of argument...

      • Following that advice then we should just shut the internet off, turn out the lights and all go home

        That sounds like a NSA STIG ... :-)

      • Comment removed based on user account deletion
        • No, we should all use Chromebooks and only use software and services provided by Google. Didn't you read TFA?

          He also says we should trust the government to protect us.

          • by narcc ( 412956 )

            The guys who tell us not to trust the government to protect us are the same ones who insist that we need to spend more on defense.

    • by Anonymous Coward

      "Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others"
      ... which will also be vulnerable.

      Exactly. Combined with his opinion on Linux (Don't use the Linux Kernel, use Chrome OS ... which uses the Linux Kernel) shows that he is just another clueless hack.

      It's not very encouraging to know that the NSA hires dolts like this.

      • Re: (Score:3, Insightful)

        by rudy_wayne ( 414635 )

        advocating the government as the best entity to handle this. ... no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.

        More proof of this guy's complete lack of a clue.

        The government is mostly controlled by lobbyists, working on behalf of all the companies who produce shitty insecure products, bribing politicians so that they can continue to produce shitty insecure products.

        • Re:Great plan (Score:5, Insightful)

          by Tom ( 822 ) on Sunday April 24, 2022 @07:01PM (#62475070) Homepage Journal

          The government is mostly controlled by lobbyists, working on behalf of all the companies who produce shitty insecure products, bribing politicians so that they can continue to produce shitty insecure products.

          But he's right that the government is the only one big and powerful enough to do the job.

          Which is exactly why a lot of lobbying money is being spend on making sure they don't.

  • What? (Score:5, Insightful)

    by systemd-anonymousd ( 6652324 ) on Sunday April 24, 2022 @05:34PM (#62474872)

    >Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

    >On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather Windows machines.

    So, "Stop using the Linux kernel! You need to use ChromeOS, an OS that uses the Linux kernel!"

    • by BeerCat ( 685972 )

      So, "Stop using the Linux kernel! You need to use ChromeOS, an OS that uses the Linux kernel!"

      But, but (waves hands). "Chrome" has a nice hard sound, so must be cool. "Linux" has an 'x' in it, so is dodgy and x-rated

      • by ceoyoyo ( 59147 )

        The NSA recommends not patching, avoiding Linux and using Chrome. Sounds about right.

    • Or more charitably, don't expose Linux to user space.

      Non Google applications don't get to see Linux, outside of VMs, they only see the Google sandbox.

    • It's more like:

      "Stop using the Linux, it's Chinese. Use a product from a legitimate vendor like Google who would never spy on you."

      Which is even more bizarre: The general public doesn't know where Chrome OS's kernel came from... but they do know Google spies on everyone.

      I'm surprised they didn't kick it up a notch and link the free software movement to promotion of Communism. I remember hearing that one already 20 years ago, before the recent Red Scare revival. Probably better to leave that implied though.

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Sunday April 24, 2022 @06:38PM (#62475006)
        Comment removed based on user account deletion
        • by narcc ( 412956 )

          offloading much of the compute load from the local device to web-based services . . . how can that possibly be more secure than data processing using a correctly curated local software stack

          You've almost got it.

          Google does not care about your privacy or security. They want to lock you into their infrastructure.

          Someone stupid sent me a .gdoc file the other day. The actual document's data was not stored in that file, which was just a little JSON text containing the author's email address and a URL. Why do you think that is?

        • Mod up. Assertion that patching is in a joke state is correct. Start with the assumption that a trustworthy operating system does not do things behind your back. Going to the cloud is a disaster, as your private data is subject to warrant-less searches. No thanks. The solution is bespoke consumer OS compiles, with tripwire tendrils show you when something is wrong or unexpected. The reason this is NOT done, is it will show where applications are cribbing licensing data. Uniformity is so they can hide nast
        • by AmiMoJo ( 196126 )

          Every app on ChromeOS runs in a sandbox, same as Android. Every app is isolated from every other app, and the underlying OS.

          On Linux most apps run as the user who started them, with all the same access rights.

      • Re:What? (Score:5, Insightful)

        by sound+vision ( 884283 ) on Sunday April 24, 2022 @06:38PM (#62475008) Journal

        But besides all that, it sounds like there weren't any good insights or recommendations that came out of this.

        Patching is useless? (No.)
        Patching is the only thing you need to do to secure a system? (No, and nobody said that.)
        Patching gives a false sense of security? (Maybe, but that's a problem within your own mind, and you still need to patch.)

        Am I missing anything? If that's the extent of what was on offer, it's pretty obvious the goal isn't deepening anyone's understanding of security, but promoting a specific product over another.

    • by gweihir ( 88907 )

      >Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

      >On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather Windows machines.

      So, "Stop using the Linux kernel! You need to use ChromeOS, an OS that uses the Linux kernel!"

      Indeed. Probably sucking up to his government customers here. That statement does not make any technological sense.

    • by AmiMoJo ( 196126 )

      By singling out a Chinese company he has shown what an idiot he is. We should treat all patches the same, and properly review them. There are plenty of examples of Western companies and agencies submitting dodgy patches, including the NSA who are known to have deliberately weakened certain encryption standards.

  • Comment removed based on user account deletion
    • by Tom ( 822 ) on Sunday April 24, 2022 @06:59PM (#62475062) Homepage Journal

      Here's what patching security issues in software is:

      Imagine you work at a bank as the physical security manager. Your bank has lots of windows and doors in the building, of course (banks aren't just vaults, there are a lot of offices as well).

      Imagine, every week the manufacturer of those doors and windows sends you a small list and some spare parts, telling you that they found out that the lock of window #281 actually never worked and the window was and is easy to open from the outside. But put in this pin and it'll be good. Oh, and door #1827 doesn't close properly even when it looks like it, but if you know the right way to wiggle it, the spring will release the bolt and it'll jump open. Here's a new spring that doesn't have that problem.

      They do this EVERY WEEK. Sometimes it's smaller problems, sometimes it's like "oops, your vault actually was never fully closed."

      Of course the right thing to do is to apply those "patches" they send you. You'd be an idiot to not do it. But once you step back and realize that this means that for the 7 years you've been doing the job, anyone could at any time have entered through window #281 and you were just lucky so far - or whatever they did was never noticed - you wonder why the fuck you're buying this crappy shit from that crappy manufacturer and why anyone in their right mind would entrust their money to you.

      Then you realize that this is the primary manufacturer of doors and windows in your area, by a wide margin. And that the others have similar problems, just on a smaller scale. And that management likes these particular doors and windows a lot. And that your in-office mail carts only fit through these particular doors, but I'm getting away from the main point.

      This is software security. Yes, patching is the wrong answer. As an individual company, you don't have a better answer, but it's the wrong answer anyway.

      • by chill ( 34294 )

        YES! Hallelujah! Thank you for stating it so clearly.

        This is the state we are in, though I see little hope of it changing. Further the problem is that the primary manufacturer of doors and windows in your area isn't interested in fixing the issue, they're only interested in selling more doors and windows. They're not going to spend money on fixing the underlying structure of their product as that doesn't bring in revenue. They're going to spend it on more features, colors, and then their marketing departmen

        • by Tom ( 822 )

          Taking this a step further, his praise for ChromeOS is spot on. The (original) idea was an OS that was limited to smoothly running the web browser, tailored to the machine it was on, tamper resistant and cryptographically immutable. His point was your could trust the machine that you booted was uninfected on boot -- and could be cleared absolutely on reboot.

          I'm a huge fan of locked-down, purpose-built systems. The idea of the desktop office PC has a huge conceptual flaw. I don't WANT it to be able to do everything imaginable. If this is the machine that has full access to my financial data, I don't want that it can also be used to play games.

          I had big hopes for MacOS when they brought out their sandboxes, but just like SELinux in RedHat, a powerful concept was watered down to be minimally invasive because you can't inconvenience people.

          I know some high-securit

      • Not really. Your comparison falls flat due to the relatively complexity of closing a window vs running GB of software.

        See the original alternate recommendation was to remove the window and install a different one. But then there's precisely zero evidence that the alternate window is any less secure, especially when it is equally as complex.

        Patching is not the wrong answer. It just looks like the wrong answer from your analogy, and the primary software vendor thing is also completely unhelpful since in his a

        • by Tom ( 822 )

          Not really. Your comparison falls flat due to the relatively complexity of closing a window vs running GB of software.

          Seriously, the complexity argument?

          Somehow, we manage to run power stations and fly airplanes without them blowing up for no reason. That's because they are made differently (for starters, we don't let random start-ups put their cobbled-together "go big or go broke" stuff into production without thorough independent testing).

          a) Stick with a manufacturer who you know disclose issues and rectify them in a presumably suitable and fast manner?
          b) Throw everything out and switch to another, one with whom you have no idea prior relationship, idea of how they respond to vulnerabilities, or if they disclose them at all?

          c) Throw everything out and switch to someone who actually knows how to make shit properly.

          If c) doesn't exist - ask myself WTF is wrong with that industry. Oh wait, c) does exist. Peop

      • by bgarcia ( 33222 )

        This is an incorrect analogy.

        The security export is saying that the vulnerable machine should be replaced with different hardware because you can't be sure that the vulnerability hasn't already been compromised and that the hardware in question already contains a trojan or backdoor. Patching it at that point is "closing the barn door after the horse has bolted" - you're too late. You're assuming that you've managed to apply the patch before it had been compromised. If you or your company/entity takes sec

        • by Tom ( 822 )

          Instead, you should replace the vulnerable machine. You can replace it with identical hardware that has been carefully patched while offline. Changing vendors is not necessarily part of this solution - that's only considered if the vulnerabilities are so numerous that you find yourself patching things (or ideally, replacing your vulnerable hardware) "regularly".

          Does weekly count as "regularly" for you?

          because you can't be sure that the vulnerability hasn't already been compromised

          It's worse than that.

          If there are vulnerabilities that can compromise you found ALL THE TIME, then thinking about last week's vulnerability is silly. You should think about NEXT week's. You don't know it yet, but you would bet money that it exists, right?

  • Turn it all off. Shut it all down. Nothing is safe. Everyone is in on it. Can't trust anyone. The rest of us are morons. Can't hack a device that isn't powered on.

    I'm so glad this guy weighed in. I feel better. On Monday, I'm going to the board with this

    --
    I went to a fight the other night, and a hockey game broke out. - Rodney Dangerfield

  • by echo123 ( 1266692 ) on Sunday April 24, 2022 @05:52PM (#62474904)

    Aitel likened patches to orange juice — a common part of breakfast in the US — pointing out that for many years people had believed that it was the most useful part of one's morning meal. In the end, it had been found to be a source of too much sugar and something that made people obese, he added.

    Given all the IoT/Amazon devices I'm amazed to discover at relatives' homes, over time, as they (relatives along with devices) age-out, I'm totally unsurprised, (and out of breath trying to explain the risks to my aging relatives).

    • Orange juice making people obese... Well I'm glad his knowledge of fruit is no better than his knowledge of the Linux kernel contribution process.

  • by iggymanz ( 596061 ) on Sunday April 24, 2022 @05:58PM (#62474914)

    So Aitel takes a swipe at Linux, Huawei Technologies and China with the *allegations* of our known lying government, and he worked for the federal agency that is known to violate the constitution and law in spying on we the people.

    Fuck off, Aitel, the biggest threat to our security is you and your ilk, not any foreign government.

    • by Dracos ( 107777 )

      Yep, this guy is shilling for some combination of entities that already have too much power and influence.

      Makes you wonder what kind of backdoors the US government paid Google to put into ChromeOS.

  • by belthize ( 990217 ) on Sunday April 24, 2022 @05:58PM (#62474916)

    Apparently this was from some debate at an online conference (Hack at the Harbor) between Aitel and Phillip Wylie. The article kind of plays up Aitel before weakly admitting that Wylie won the debate according to audience voting.

    So random guy who had a job at a Federal TLA was in a debate at a random security conference and lost but he had things to say....

    Slow news day apparently.

    • So random guy who had a job at a Federal TLA was in a debate at a random security conference and lost but he had things to say.

      I think the point of the summary is that the Federal TLA guy told people to use ChromeOS instead of Windows. Which is probably an agenda the submitter is trying to push.

      I do a similar thing where I like to trash Java. I recently submitted a summary to slashdot about Psychic Paper Java vulnerability, which is hilariously bad if you read about it, but my submission got marked as "Spam

    • No, this is very important. Remember this guy worked at the NSA so presumably he was the best and brightest we have to offer. Just remember that the next time you're worried about them hoovering up all your data, we're talking about a TLA who employs people who say don't use the Linux kernel use ChromeOS (want to play guess the kernel?) instead...

    • > So random guy who had a job at a Federal TLA was in a debate at a random security conference and lost but he had things to say....

      I think he said Google doesn't patch ChromeOS?

      Back to the DMV then.

  • Yeah, ok, like Iâ(TM)m gonna listen to a guy that was part of an organization that criminally spied on people and abused its power.
    • Yeah, ok, like IÃ(TM)m gonna listen to a guy that was part of an organization

      Can we be sure that "was" is the appropriate tense for his involvement with a secretive Federal agency?

      • by Sebby ( 238625 )

        Yeah, ok, like IÃ(TM)m gonna listen to a guy that was part of an organization

        Can we be sure that "was" is the appropriate tense for his involvement with a secretive Federal agency?

        Perhaps he still is, but by his own admission he at least was.

  • by weeboo0104 ( 644849 ) on Sunday April 24, 2022 @06:09PM (#62474950) Journal

    Seriously.

    Not every security flaw in software necessitates a full rewrite. Patches also take the form of bugfixes and functionality improvements. Form follows function. We find a flaw and then mitigate it for correction in the next major release.

    Also, I have a major issue with his argument that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry. My own argument would be that no other entity has bigger incentive to accept donations from the lobby of the big software vendors and the security industry.

    • Yeah government solving this problem is laughable. How do you get skilled security theorists into government who also have some idea about practicality and the realities of systems programming? Not easily.
      • Judging by the repeated, continual security faceplants in the corporate world, there must not be skilled security theorists anywhere.

    • by Tom ( 822 )

      Not every security flaw in software necessitates a full rewrite

      That's because most security flaws are not fully understood and are only patches - as in "applying a band-aid", not fully fixed.

      Read "They write the right stuff" (giyf). Unless you've done an actual root cause analysis of your security flaw (one like described there, not the shit software development courses teach you), you've only fixed the surface problem, not the underlying problem(s). The same or similar bug can re-appear at any time elsewhere in the code. You aren't really better than you were before.

      Also, I have a major issue with his argument that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry. My own argument would be that no other entity has bigger incentive to accept donations from the lobby of the big software vendors and the security industry.

      B

      • by gweihir ( 88907 )

        Not every security flaw in software necessitates a full rewrite

        That's because most security flaws are not fully understood and are only patches - as in "applying a band-aid", not fully fixed.

        Indeed. Many security problems actually stem from bad architecture and bad design. Patches do not really fix these. If you have good architecture and design, patches will be for minor errors and not come with serious issues of themselves. The second type of patch can sometimes be seen, for example, in Linux or the xBSDs. Unfortunately, the prevalent form is the first one: Somebody screwed up because they have no clue how to do their jobs.

  • As long as we're willing to accept crapware that has vulnerabilities that need to be patched, then we can expect more of the same. And the rate of patching is an indication of how bad the base system is.

    This will continue as long as software vendors have no legal liability, and therefore no -financial- incentive to prevent bugs. When it starts hurting them in the pocketbook, software vendors will start to take a very different perspective on security vulnerabilities.

    • by Tom ( 822 )

      As long as we're willing to accept crapware that has vulnerabilities that need to be patched, then we can expect more of the same. And the rate of patching is an indication of how bad the base system is.

      This.

      The fact that patches and patching exist isn't the problem, it's a good thing. Imagine you couldn't fix a bug AT ALL once you release the software. Damn.

      But the fact that patching isn't a rare event for when one of your three blunders is finally figured out by someone, but something that now happens ON A FIXED DAY EVERY WEEK - there's your problem right there. It's become ok to release crappy, shitty, half-finished software full of problems and then slowly fix them over the next decade or so.

      This needs

      • by gweihir ( 88907 )

        Also, software and computer systems come with wayy too little redundancy these days, especially regarding security. Redundancy is a tried and true approach used in all professional engineering. For software security, it is often not even taught. What is does is alleviating the need to patch _now_ because attacks are already being conducted. It also helps mitigating the fact that most people that write software still have no clue about security and about how to produce good quality software. Instead things g

        • by Tom ( 822 )

          Redundancy is a tried and true approach used in all professional engineering.

          To be fair, engineering large has to defend against intentionally malicious actors. When it comes to availability alone, redundancy is pretty established (RAID, clusters, etc.)

          Startups always seem to forget about everything until it beings to hurt and they bring someone in who has actually seen a real server before, but hey, there's a reason 90% of them fail.

          • by gweihir ( 88907 )

            Well, yes. That makes good redundancy even more needed, not less. Completely agree about the startups.

            • by Tom ( 822 )

              Well, yes. That makes good redundancy even more needed, not less.

              Wrong.

              This is one of the things I fight with when I do cybersecurity in an industrial context. For engineers it seems a common thought is "when in doubt, add more redundancy". But for cybersecurity, redundancy doesn't do much. To hack 1 server or 10 (identical) servers is more or less the same effort. Even in a (D)DoS context, redundancy only helps so much.

    • by gweihir ( 88907 )

      Indeed, well put. With software, basically everybody is still only after a quick buck. If mechanical engineering was like this, steam-boilers would still routinely blow up.

  • If he truly believes patching is useless, then we must assume Dave Aitel runs all his computer hardware unpatched, the way it came out of the box when he bought it. I wonder what unpatched phone he uses. Maybe the reason why he became a former NSA employee is because he kept on using unpatched software and perhaps advocated against patching any software at the NSA?
    • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Patching is not useless. But patching is a high-effort temporary solution that may or may not work or be in time in each instance you do it. It is not a professional-level approach. You only need to patch because the engineering was screwed up before. As patching is prevalent, that does not say anything good about the practice of generating software. And that has to change.

      • Well, the debate title was "Patching is useless", not "Patching is not enough". Perhaps this is politician speak, rather than programmer speak, where "not enough" == "useless".

        As for your point about patching, I agree that patching is not enough, however it will always be required. Efforts should be made to make better designs, and while I've always believed in a thorough design and validation, a good counterpoint is Tesla. Elon's motto of "Ship it now, fix it later via OTA" is working really well for th
        • I didn't look at any of the linked articles of course. But my thought on "patching is useless" is that a lot of the effort that goes into patching is better spent on things like identity management that are much higher risks. Not *all* the effort, but a lot of it. I've been involved in so many intrusions and pen tests where an unpatched vulnerability just didn't enter into it. Meanwhile they are having an easy time of it using weak or default credentials. It requires a certain amount of thought. Internet e
          • Unpatched internal servers are still vulnerabilities. Yes the attack surface may be smaller, but in a sufficiently large network compromised devices will find their way in - hence Zero Trust Networks. Now, if you are saying that there may be higher priority tasks which should be performed by IT rather than patching a low severity bug, sure, but it should be looked at on a case by case basis to optimize the usage of your limited IT resources.
            • by gweihir ( 88907 )

              And that is just it: IT operations and IT security people need to carefully (but fast) prioritize everything. If they mess it up, it can get very expensive, up to loss of the enterprise. There are no working fixed strategies at this time, because IT and CS are both still in their infancy and most "solutions" are not mature, with the usual effects on security, stability, resilience, performance and cost.

        • by gweihir ( 88907 )

          Well, the debate title was "Patching is useless", not "Patching is not enough". Perhaps this is politician speak, rather than programmer speak, where "not enough" == "useless".

          Ah, yes, that nil-whit level stupidity. Probably. As to patches, they may eventually go away, when software is resilient and redundant enough that updates are enough. Even in those cases, patches must be possible, because it can still happen that one detail needs to be fixed fast. But patches should be _rare_. About as rare as vendor-recalls of cars used to be, for example. (These have, unfortunately, gotten much more common, usually because of efforts to make some parts cheaper-than-possible, often driven

  • Every single slashdot article on vulnerabilities ends up being an advertisement for a security company. Every single one.

    It could be excused if there was a real vulnerability being disclosed, but when the articles are essentially all saying the same thing: "Your current security practices suck for xxx, yyy, and zzz reason, hire us instead", it's ridiculous.

    • by Tom ( 822 ) on Sunday April 24, 2022 @06:40PM (#62475012) Homepage Journal

      the articles are essentially all saying the same thing: "Your current security practices suck for xxx, yyy, and zzz reason, hire us instead", it's ridiculous.

      The 2nd part is, the 1st part isn't.

      Security is laughable. I've worked for clients that are critical to entire sectors and/or the functioning of an entire country. On a scale of 1 to 10 where 10 is "I can't imagine anyone breaking into this", nobody I've seen ever got past 6 or 7 and quite a lot of places can't make it halfway on a good day. Very few people even understand concepts such das Defense in Depth beyond the trival level ("yes, we have a DMZ"). Most places are one 0day in the hands of a truly malicious actor away from being remotely shut down.

      The biggest step forward in security over the past 20 years was the invention of ransomware. It gave the attackers a clear path towards monetization. I sometimes wonder if we shouldn't consider it a defensive countermeasure. If all the bright minds that work on inventing new ransomware would work on more evil stuff, we'd be having much bigger problems.

      Or maybe I'm just becoming zynical after having seen too much.

      • by gweihir ( 88907 )

        Security is laughable. I've worked for clients that are critical to entire sectors and/or the functioning of an entire country.

        Same here. Instead massive effort goes into making websites more gaudy and repeating all the past stupid mistakes via "apps". Security gets _worse_, not better.

        The biggest step forward in security over the past 20 years was the invention of ransomware. It gave the attackers a clear path towards monetization. I sometimes wonder if we shouldn't consider it a defensive countermeasure. If all the bright minds that work on inventing new ransomware would work on more evil stuff, we'd be having much bigger problems.

        Or maybe I'm just becoming zynical after having seen too much.

        Well, the advent of ransomware clearly shows that the CS field has been dicking around incompetently the last 30 or 40 years and ignored the actual problems. That it requires a strong outside pressure to even start to think about maybe doing something differently is an utter disgrace to any field. Still better to get that outside pressure when things

    • by gweihir ( 88907 )

      Indeed. This makes it very clear that security is _still_ not taken seriously and only seen as a way to make a quick buck. In reality, IT security becomes more and more critical and critical. Not the only problem that is critical and getting more urgent every day that gets ignored or half-assed.

  • When it comes to securing your data, forget computers; stick with pencil and paper. Think about it for a second. Not only does someone need access to the specific piece of paper where the data is stored, but they also need physical access to you and the pocket the paper is stored in. No amount of computer or network hacking and no amount of communications interception will gain someone access to your data. Sure, copying or actually using that data is less than practical, but you can't have everything.
    If you

    • Tried that way and liked it for most of my life. Works really well if you can do it in depth.

      Of course, then comes along something like the Holiday Farm Fire - https://inciweb.nwcg.gov/incident/maps/7170/ [nwcg.gov]

      Multiple copies, distributed over 6 places around 40 square miles. A really nice hard copy library.
      Not complaining mind you, catastrophic means that after all. There are no perfect solutions.

      Ask me sometime about my video of what happens to a ToughBook when it meets a forest fire head on.
    • You forgot about the best advantage of paper - cute female file clerks in short skirts that you get to interact with on a daily basis, rather than some odiferous fat guy in IT.

  • by gweihir ( 88907 ) on Sunday April 24, 2022 @08:18PM (#62475232)

    The CS field has immensely disgraced itself over the last 30 years or so, buy not taking security seriously. It continues to disgrace itself these days and there are only minimal efforts to end that. My personal disappointment abut the continued failure of the CS field to establish itself as a respectable engineering discipline that produces dependable and secure solutions is pretty strong these days and I see little insight and even less effort to change that. Instead, many cosmetic and meaningless hypes have been followed over the years, actively preventing technologies from getting established and mature. There was little innovation and little relevant research results. Much of this is driven by big-ego-mediocre-skill types that unfortunately got an audience. Most advances (e.g. Smartphones, faster CPUs, more Memory, LCD screens, etc.) were not even CS research results at all, but done by EE, material sciences, communication technology or other established engineering disciplines. CS research is characterized by low-quality incremental "improvements" of the current hype, not by addressing fundamental problems like why software is still an insecure mess and a high level of difficulty to get funding or publish when you are trying to address the fundamental problems. The few people that manage it have their results usually ignored afterwards. In addition there still is a large group of nil-whits that try to push _their_ magic solution, when it has become amply clear there are no magic solutions.

    As to the Linux Kernel, that statement is political and bogus. I would think it is not even clear whether he believes it. This may well be something he says to cater to his customers. In fact, you cannot honestly damn the Linux kernel and at the same time say Chromebooks are a very good thing.

  • Meh (Score:5, Insightful)

    by dogsbreath ( 730413 ) on Sunday April 24, 2022 @08:32PM (#62475268)

    Taking extreme positions and making outrageous statements is one way to draw attention to valid issues. To me, Aitel comes across as condescending and self serving but hey, he ran a private shop and likely is used to proselytizing and marketing. He denigrates patching but promotes a single os choice based on personal bias.

    Disclaimer: I've been out of the system security arena for over 15 years so I am sure there are lot more issues to deal with now but some things don't change. A few points about what security isn't:

          it is not provided by any application or device (eg antivirus, firewalls, intrusion detection systems)
          it is not created by patching
          it is not provided by operating system choice
          it is not provided by contracting out security services or relying on advice from vendors. Not any vendor.

    The above may be items in a security architecture but none are "security" by themselves. If all you do is patch but don't change the default admin account, well duh, of course that is not going to do much. If you do some system hardening and then fail to look at things on a regular basis, you will be burnt eventually.

    In my experience, security is provided when attention is payed to it and resources are allocated appropriately. This means developing a security culture, some components of which are definitions of what security means to an organization and how the organization will prioritize security. Off of that, concrete things like employee education plans, server and network architectures, policies and procedures, roles and responsibilities can be developed. Patching will be part of these processes.

    Vendor, operating system, hardware choices, etc are usually driven by business requirements. Despite my personal bias towards 'nix systems, the reality is one os is not any more secure than any other when all is said and done.

    The key is to pay attention and make security important. Value your shit and act accordingly. Look at Sony America and see what happens when you cheap out.

    This is all very scalable and applies from a single notebook up to massive data centres.

  • Lets all forget what Ed did for Booze-Hamilton: attaching sniffers to motherboards before they left the factory. Yes, patching is basically useless.
  • Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

    Yeah, you wonder why the US doesn't like Huawei, because they actually make their hardware safe against US agencies hacking, WHICH is the reason why the US tries to get everybody to not trust the Huawei hardware and hope people go get hardware less secure so the US can more easily spy on their own friends.
    Every patch suggest by Huawei (or any other company) gets checked before being integrated into the kernel, so I have big doubts about why this so called security expert says it's not to be trusted.
    What e

  • I know we are not supposed to judge on appearances, but on the other hand the guy is wearing a bunny ears headset with mirror shades
  • I'm pretty sure he's not allowed to use the fact that he worked at NSA in order to support a specific vendor

    • --unless the NSA *wants* him to support a specific vendor.

      Linux kernel: "Wild west" open-source that the NSA has little control over. "Rotten security."

      ChromeOS: Controlled by a single vendor who the NSA can convince to take that kernel and add their "secret sauce" to the platform. "Use this one!"

      I'm not accusing anyone; just suggesting that it's not infinitely less plausible than the "he's an idiot" hypothesis.

No spitting on the Bus! Thank you, The Mgt.

Working...