Post AdBf9taLo5GK18AJyS by dalias@hachyderm.io
(DIR) More posts by dalias@hachyderm.io
(DIR) Post #AdBf5CHUruH2YO6ega by dave_aitel@mastodon.social
2023-12-20T22:45:11Z
1 likes, 0 repeats
I really want more focused rhetorical flair from CISA tbh. Something like "Every security patch is a failure of process and initiative. They should be extremely rare - not on a monthly cadence. A secure by design product does not have a patch cycle."
(DIR) Post #AdBf9skEvpZvPVmhkW by mdfranz@infosec.exchange
2023-12-24T22:16:29Z
0 likes, 0 repeats
@dave_aitel I guess I’ve been in security (and product companies) too fucking long to believe that is even possible.
(DIR) Post #AdBf9taLo5GK18AJyS by dalias@hachyderm.io
2023-12-25T06:00:55Z
0 likes, 0 repeats
@mdfranz @dave_aitel It's definitely possible. Look at something like OpenSSH where incidents are like once-in-a-decade events and most are not catastrophic but minor weakenings.
(DIR) Post #AdBf9ugPj1hrQE0g40 by alecmuffett@mastodon.social
2023-12-25T15:02:59Z
0 likes, 0 repeats
@dalias @mdfranz @dave_aitel https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Openssh suggests that the reality is more murky and complicated than suggested.
(DIR) Post #AdBf9vVSfEXVyXtRdA by dalias@hachyderm.io
2023-12-25T15:21:35Z
0 likes, 0 repeats
@alecmuffett @mdfranz @dave_aitel A large number of those are in integrations with insecure junkware, hardware vulnerabilities unrelated to OpenSSH, tools other than the sshd either distributed with or entirely independent of OpenSSH itself, etc. The double free looks a real serious one but was only briefly introduced and seems to have affected users following latest version rather than longterm.
(DIR) Post #AdBf9wFXttP2HTSFSi by alecmuffett@mastodon.social
2023-12-25T15:25:27Z
0 likes, 0 repeats
@dalias @mdfranz @dave_aitel it is really easy to escape charges of being more murky and more complicated by narrowing or changing the scope; similarly, we could chop out any vulnerabilities which occurred in linked libraries or (e.g.) due to operating systems random number generators being weak… but at some point that just becomes cheating. Easier instead to acknowledge the murkiness and that software is complicated and messy.
(DIR) Post #AdBf9wyvBBhOYCgUBk by dalias@hachyderm.io
2023-12-25T15:31:43Z
1 likes, 0 repeats
@alecmuffett @mdfranz @dave_aitel No, "acknowledging" that is an abdication of responsibility to make the scope of one's own work maximally correct and secure, even if other broken components of the system may compromise the system as a whole. "Everything is broken so why try?" is the reason everything is broken.
(DIR) Post #AdBfEJQve8X1LFrfKS by alecmuffett@mastodon.social
2023-12-25T15:34:37Z
0 likes, 0 repeats
@dalias @mdfranz @dave_aitel You're absolutely right, it is an abdication; but in the past 35 years or so I've seen trusted platforms and A1 secure trusted systems and provers… and they all go on for about 5 to 10 years before people get bored and move on to the next thing.
(DIR) Post #AdBfEKFGcynVrNPrn6 by dalias@hachyderm.io
2023-12-25T15:43:17Z
1 likes, 0 repeats
@alecmuffett @mdfranz @dave_aitel Cut down the number of components that are exposed as attack surface til you can count them on one hand, and make sure they're developed with the same level of competence and track record for rarity of severe vulns as something like OpenSSH 😈 rather than something like Chrome 🤡.
(DIR) Post #AdBfJ7vjqGF776ZTiy by alecmuffett@mastodon.social
2023-12-25T16:01:50Z
0 likes, 0 repeats
@dalias @mdfranz @dave_aitel "…and then run it on Linux" :-)
(DIR) Post #AdBfJ8bvJPzFDwJATg by dalias@hachyderm.io
2023-12-25T16:04:43Z
0 likes, 0 repeats
@alecmuffett @mdfranz @dave_aitel Linux mostly isn't attack surface because attackers aren't interfacing with Linux but whatever your application is.
(DIR) Post #AdBfJ9GKtAJTFHDRT6 by alecmuffett@mastodon.social
2023-12-25T16:09:18Z
0 likes, 0 repeats
@dalias @mdfranz @dave_aitel that's really interesting. What's the definition of an attack surface?
(DIR) Post #AdBfJ9xEJgclOJHhKK by dalias@hachyderm.io
2023-12-25T16:14:45Z
0 likes, 0 repeats
@alecmuffett @mdfranz @dave_aitel In the most simplified form, a component the attacker is able to interact with in some meaningful way.
(DIR) Post #AdBfJAd3oA5JU2r6Wm by mdfranz@infosec.exchange
2023-12-25T18:33:13Z
0 likes, 0 repeats
@dalias @alecmuffett @dave_aitel I have a SaaS bias, but many vulnerabilities are cross component often because so few security folks understand the end to end an full stack view—or security functions are delegated to another component.
(DIR) Post #AdBfJBLj85oViZkm9I by alecmuffett@mastodon.social
2023-12-25T18:36:19Z
0 likes, 0 repeats
@mdfranz I'm with you re: that observation, although one will never convince the people who are into theorem proving or formal methods or Coq or whatever, because they live in a world of small elegant perfect things./Cc @dalias @dave_aitel
(DIR) Post #AdBfJC6WK7FC3he95M by mdfranz@infosec.exchange
2023-12-25T18:55:41Z
0 likes, 0 repeats
@alecmuffett @dalias @dave_aitel That (well-intentioned) nonsense would never survive in any commercial product company where the bar for delivery is "mostly works most of the time" with a bare minimum of somewhat tested and in CI/CD as the happy path.
(DIR) Post #AdBfJCiS35aLxLORCy by dalias@hachyderm.io
2023-12-25T20:05:40Z
1 likes, 0 repeats
@mdfranz @alecmuffett @dave_aitel Thus commercial product companies' products don't survive against motivated attackers. There's a reason all the near-unbreakable stuff is done by dedicated FOSS volunteers (note: I'm not claiming the converse!) and not by tech companies.
(DIR) Post #AdBff34wYo6GRCKWFU by alecmuffett@mastodon.social
2023-12-25T20:25:18Z
0 likes, 0 repeats
@dalias it is regrettable therefore that in the scale of software, the nearly unbreakable stuff is but a drop in the ocean. @mdfranz @dave_aitel
(DIR) Post #AdBff3zJBFBdG0hX6W by dalias@hachyderm.io
2023-12-25T22:56:14Z
0 likes, 0 repeats
@alecmuffett @mdfranz @dave_aitel 🤷 You just need to be in a position of not depending on the ocean of garbage in ways that you suffer significant harm if it's compromised.
(DIR) Post #AdBff4iKTrCPVdlUHI by mdfranz@infosec.exchange
2023-12-26T02:06:26Z
0 likes, 0 repeats
@dalias @alecmuffett @dave_aitel "ocean of garbage" meaning the code and services you (or your team) didn't write? Or the underlying cloud infrastructure your service depends on that has limited control over? Or upstream/downstream services?
(DIR) Post #AdBff5zjiciXTuuu36 by dalias@hachyderm.io
2023-12-26T02:14:08Z
0 likes, 0 repeats
@mdfranz @alecmuffett @dave_aitel I don't think I wrote OpenSSH. 😁 I'm talking about the "ocean" in the post I was immediately replying to - just the bulk of software that's not designed secure from the ground up.
(DIR) Post #AdBff6gz7pJPe39RSa by lanodan@queer.hacktivis.me
2023-12-26T02:22:47.795170Z
0 likes, 0 repeats
@dalias @mdfranz @alecmuffett @dave_aitel At the same time, something as critical as OpenSSH ought to pass code audits, you don't need to write things yourself to assert them as good, although you'll probably end up writing patches or submitting bug reports.Meanwhile the ocean smells without much inspection.