Rich Kulawiec on 12 Nov 2017 12:07:04 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] One bug to bite us all?


On Thu, Nov 09, 2017 at 02:57:08PM -0500, K.S. Bhaskar wrote:
> http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system
> would seem to be hard to get away from??? Also, an easy way for the No Such
> Agencies of this world to get targeted vulnerabilities into selected
> companies, countries, etc.

Annnnnnd this is one of the reasons why I was (and have been, for years)
so adamant that the only acceptable security policy is default-deny.

	[ I'm referring to messages in this thread from August:

	http://lists.netisland.net/archives/plug/plug-2017-08/msg00032.html

	which started being about ssh hardening and turned into a more
	general discussion of firewall/security philosophy. ]

Anyone who's running a default-permit environment (in any direction) is
wide open to exploits of this vulnerability.  Anyone who's running
a default-deny environment has greatly reduced their exposure.
Of course, that exposure still isn't zero, absent air gaps -- and
maybe not even then.  But it's a lot less, because any exploit via this
onboard OS will have to use the limited set of data paths available in
the environment instead of being able to use arbitrary ones.

The point is not that this philosophy solves this particular problem.
It quite clearly doesn't: it's not a panacea for this or anything else.
The point is that it gives defenders a fighting chance against a problem
that (almost) nobody saw coming.  And that's why you do it: not for
the problems you know you have, but for the ones you don't know about.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug