Computer security is shit

I made an image today after working in the salt mines.

usmsp.gif610×995 24.2 KB

Let’s talk about computer security!

I’m hard pressed to say exactly how you conveyed this impression; but I love how the all-seeing-eye is clearly showing signs of weariness from having to look on too much, too long. Much more situationally appropriate than the more typical omniscient-and-threatening stance.

vast complex webs of OS code, application code, and vast webs of arseholes out there trying to exploit it.
how can it be otherwise? one thing that both gives me hope and despair is how often it is social engineering at the root of a lot of stuff and that comes into the realm of you can’t fix stupid.
keep fighting the good fight @enso we are all on your side here. and if you are ever in seattle i owe ya a beverage of choice.

On the plus side, I think it used to be worse. NeXT used Display PostScript. You could root a box with an email with some hidden postscript in it (among many other sneaky vectors, you just needed to get an invisible thing into something that rendered anything). You could root a box very quietly since the problems were mostly hiding in the rendering of the screen. You could take over the built in microphone quietly and stream audio to anywhere. The DoD systematically destroyed the built in mikes in all their black hardware since there was no OS level defense. This was part of why Apple moved to DisplayPDF (as well as licensing).

On the down side, it’s way more complex and gross now. I feel your pain.

A contemporary attack surface(artist’s rendering)

Right - right? My kids, I’m perhaps recklessly encouraging them into the creative side - fuck work.

/me cries

I just came back from Seattle on Sunday!

It looks like an early Death Star design.

But the ridiculous cube shape would probably make it too easy to zoom in and blow up the main reactor.

It looks like a Menger sponge.

Over recent years I’m coming into line with the thinking that if we can’t get users to do things in a secure fashion, then we’ve designed the product / protocol wrong. If users are the weak link, we need to find a way to make it harder for them to screw up.

Infinite surface area and riddled with holes at any scale you choose. Seemed like the most appropriate fractal available.

Attacks are moving down the stack. In the NeXT days, firmware malware would have been unthinkable.

@fuzzyfungus → 0x29a
The surface where I work is somewhere between:

and

The CIO where I work (no real C level representation for InfoSec) keeps telling “Cyber Stories” seriously, who talks like that?!

Work is for suckers - if they can get around it, they should and if they can make a buck doing something they love while working for themselves, it’s just about as good as not working.

Why the citizens of this country are all “yay democracy” then when they go to work they’re all “yay authoritarianism” - totally don’t understand that disconnect.

I’d find it easier to be smug about Display Postscript if I were sure that WebGL was properly disabled on my system…

I’ve been gathering data for the last two weeks, fingerprinting browsers, mobile apps, api traffic, and network stacks.

Did you know that for tls traffic, even when you can’t decrypt it and inject fingerprinting code, the types of cipher suites and their position in the Client Hello flow is a fairly decent indicator of OS and application? Sure, you could recompile openssl and start reordering shit, but noone ever does. And it’s an even bigger pain on Winedows

<----- went to a security con once in Louisville, got a rubber bracelet that read “LIVERSTRONG”.

love that town.

Yes… This is known. All sorts of passive fingerprinting attacks have been discussed over the last few years.

DerbyCon?

I was just surprised at the accuracy, especially for finding say a python scraper claiming to be firefox. That shit stands out like a sore thumb.

The same.