So where are all those horrible zero-days?

Topic

New Reply

https://twitter.com/AskWoody/status/1187048132124794880  
[See the full post at: So where are all those horrible zero-days?]

4 users thanked author for this post.

Microfix, GreatAndPowerfulTech, abbodi86, Noel Carboni

Reply | Quote

Replies

It’s the usual thing with spy games, including the corporate version.

We have various high-level entities making noise about those – Microsoft, various government-level entities on various continents, etc… and I note that the warnings say something to the effect of “used in targeted attacks”…

Given that other security professionals also tell me that targeted and tailored attacks have been on the rise recently… and that’s about all I get without a NDA…

So yeah. These would be sort of consistent with having an active international espionage arms race where all sides try to keep hidden with varying success and everyone’s also spreading disinformation.

And assuming that’s true – unless you’re already involved in the spy games you’re not likely to be targeted… in the current phase of the game, or unless some of the tools leak to common criminals.

Or it could all be disinformation. Pass me the tinfoil, will you?

Reply | Quote

Didn’t you get the memo?

“Security” is really not about protecting anyone from bad things.

It’s about manipulating them through fear and threats. Somehow that’s become an acceptable marketing tactic.

It stinks on ice.

-Noel

4 users thanked author for this post.

David F, Microfix, lanceboil

Reply | Quote

If MS thinks that I’m going to be more worried about some outside entities hacking my laptops that I’ll overlook that Telemetry surreptitiously slipped into the W7 Security only updates then MS is not getting any traction as far as I’m concerned.

I’ll take the Zero Day potential over some assured MS nefariousness any day and I’ll happily install a from a 8 year old windows 7 recovery image and go with that sans any updates, if needed, before all accept any MS Telemetry where it does not belong if I need to clear up any infections after 2020. I can very well scrub my windows 7 laptops of any personal information and go from there and not care one little bit about any Zero Days and avoid doing any security essential business on any laptop that’s running any Windows OS.

I can very well install some security oriented Linux Distro on one of the laptops dedicated to secure transactions and only secure transactions. And that leaves 3 laptops for  any sorts of non security essential Internet Browsing and not much to worry about personal information wise from any Zero Days that may or may not be targeting those systems.

Reply | Quote

Well after the Chicken littles over hyped the Spectre and a Meltdown stuff. I figure the media has become obsessed with reporting these exploits. Hysteria sells clicks these days, the whole tech world is rather bland otherwise. Much of these things never make it to mainstream media. Which just proves how little influence these things have.

2 users thanked author for this post.

Microfix

Reply | Quote

I’m sure CanadianTech would agree, having stopped patching Windows 7 in May 2017 whilst supporting his clients, who still have no major issues with security or systems and his workload has dropped dramatically.
CVE-M0R3-8ULL

Windows - commercial by definition and now function...

1 user thanked author for this post.

SueW

Reply | Quote

John, I agree with you. If I remember it was the “Google Boys” that brain team that comes up with bright-ideas and want to be congratulated for their insights that caused this whole debacle to happen in the first place. It was an OLD flaw with Intel processors that was known for something like 20 years. The GOOGLE BOYS find this and publish it knowing it could not be fixed except with a new generation of CPU. Now everyone is worried or annoyed at the half way fixes that have come out slowing down of the CPU as a result. All for a threat that has not happened and if I remember Woody saying will probably be in a very long time before it will -if ever- happen. Thanks Google.

Reply | Quote

I can not help but to think that Intel will gladly sell some new CPU hardware with the necessary fixes to anyone wishing for more security in their hardware from Intel without as much of a performance loss. And most consumers are not very smart in matters concerning hardware errata and CVEs and such but those consumers are to a degree more dangerously too much Brand Aware but lacking in computing hardware knowledge.

AMD, even with it’s lesser hardware vulnerability issues and very performant CPU performance since it’s Zen micro-architecture was released and iterated upon for even better CPU performance with Zen+/Zen-2, is still behind in the wider consumer market mind share.

But as far as Spectre/Meltdown mitigations being disabled at the OS environment variable level, there is that option of speeding things up for some. But others will keep the settings to enable the mitigations to avoid any legal ramifications if something does appear that can actually attack via said hardware vulnerabilities.

If I where a security certificate  issuing authority I’d maybe do every thing possible to keep the encryption keys to the certificate vault protected including some custom/bespoke hardware that’s not in very wide general usage or even have the CPU’s Hyper-Threading/SMT disabled and even some speculative execution switched off at the micro-code level.  That’s going to exact some performance hit for sure but that may be necessary for some essential entities.

The average person is not really having to worry much about all that is Zero Day that’s too difficult to manage without some expensive/sponsored efforts at hacking. Average consumers have more to worry about from the common scripting vulnerabilities that can gain root/administrative level  access via privilege escalation attack vectors.

So side channel attack vectors are a more difficult method compared to those script/buffer overflow sorts of steal grandma’s bank account number attacks.   Now for grandma’s Bank that’s a more definite target for some properly funded hacking operation where not just grandma’s funds can be drained. And the lawyers that will descend on any Bank that has not taken the upmost steps regarding any zero day/CVE are really something to be worried about as much as some well funded hacking groups sorts of losses.

Reply | Quote

anonymous wrote:

If I where a security certificate  issuing authority I’d maybe do every thing possible to keep the encryption keys to the certificate vault protected including some custom/bespoke hardware that’s not in very wide general usage or even

… you know, according to the publicly available information…

Supposedly, none of those processor side-channel attacks work on Itanium (IA-64) and descendant processor models at all. I wonder what the current price would be for a HPE Integrity rx2800 …

Sparc hardware seems to be only minimally affected and fixed firmware is available. Same with POWER9.

IA-64 and Sparc only seem to be available in rackmount servers these days but that one company is advertising POWER9 workstations.

Reply | Quote

I’m still waiting for Wannacry or was it Petya, or Meltdown, or Spectre.  Yadda Yadda Yadda, Blah Blah Blah, I’ve lost track of them all.  Lost track of all the boogie men that were gonna invade my computer, hit me over the head with the hammer of Thor and carry me off to purgatory.

Yawn.

It was entertaining watching everybody running around having panic attacks clamoring for updates to protect against Wannacry.  I think it was Wannacry…

Watched the Linux Mint team bork their kernel rushing out a fix for a theoretical non existent threat. Had to immediately issue a new update to fix the earlier borking.

The thread at the Mint forums was really an eyeful to read.  You could feel the panic and despair in the writing of a lot of posters over that “threat’.

Some of the Microsoft/Windows forums weren’t any better.

So I just sit here doing everything wrong.  Group W for 2½ years.  Waiting…

 

Reply | Quote

[Alex5723]

Windows 10 1809 Pro. Semi-Annual, Feature Updates = 210, Quality Updates = 21, Yet just received October 3, 2019—KB4524148 (OS Build 17763.775) probably under *we will ask you to download updates, except were updates are required to keep Windows running smoothly….
or, maybe that 21 days has passed for this Sept. 2019 patch ?

• This reply was modified 5 years, 6 months ago by Alex5723.

Reply | Quote