whatupmiked's comments

You seem to be attacking a strawman.

"The central goal of the attacker we consider is to gather location and movement data about a large number of devices, either globally or pertaining to a specific region of interest."

Networks change all the time. You don’t want to rerun cable everyday.

You can configure a router to not use a path, even though that path physically exists.

According to the comments in the most recent post on this blog the author has passed away: https://castel.dev/post/research-workflow/

I stumbled on this blog recently when researching the same topic (nvim +latex). I found this more recent blog (https://www.ejmastnak.com/tutorials/vim-latex/intro/), by another author, inspired by this original author useful as well.

I found this blog post to be very helpful and the author was obviously a very good writer and I am sure he will be missed. Condolences to his friends and family.

| 10. Unrestricted Code Execution | If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.

The list was good but this last one reads more like end-point security.

NATs provide one form of network segmentation. Network segmentation is a commonly accepted network security practice. The author maybe thinking of a specific application of NAT, but a blanket “NAT provides no additional security” is not a defensible position.

"migrating to programming languages that eliminate widespread vulnerabilities."

"Some examples of modern memory safe languages include C#, Rust, Ruby, Java, Go, and Swift."

"Too often, backwards- compatible legacy features are included, and often enabled, in products despite causing risks to product security. Prioritize security over backwards compatibility, empowering security teams to remove insecure features even if it means causing breaking changes."

"While customer input is important, the authoring agencies have observed important cases where customers have been unwilling or unable to adopt improved standards, often network protocols. It is important for the manufacturers to create meaningful incentives for customers to stay current and not allow them to remain vulnerable indefinitely."

---

The fundamental challenge is that by the time a "secure default" has been universally agreed on, and implemented widely in a space, the target moves again. Meanwhile each vendor decides what is "most secure" based on what they have been able to implement. Businesses are left with the integration challenge, and maintenance burden, of operating equipment that changes underneath their feet with each upgrade/update in the name of "being more secure."

Government agencies could reduce the integration and adoption window by providing implementations of the "secure defaults" that were ready-to-use in the recommended programming languages. To do this they would need to be able to incentivize and recruit personnel that were capable of doing this, and adopt methods and practices that could produce such modules in a timely manner. Do governments want to distribute implementations that are usuable by any actor? Can they produce it in a timely manner? Would industry trust the implementation if it was produced by governments?

When "legacy features" are being asked for it is most likely because they have been shown to work, and integrate, well across the business. A new product may be perfectly secure, but is it usable? The last quote alludes to this, customers need to run the business to generate the revenue to afford the security.

An attack that does not work on a technology is not evidence of a control’s effectiveness.

There is no evidence secure boot has prevented any malware.

The reputational damage to the department is staggering.

Well, if you build it yourself at least you’ll think it’s secure!

Debian has no bugs - heard it here first!

Every critique in this list could be levelled at networking equipment that costs thousands or tens of thousands of dollars.

Sounds like they are selling a server NIC optimized for high-throughput VM/Container traffic.

Hikaru Nakamura is an American GM that has a pretty entertaining YouTube channel if you are interested in chess.

"Copper content (177±16 ppb) in water stored in copper pots was well within the permissible limits of the World Health Organization. Copper holds promise as a point-of-use solution for microbial purification of drinking-water, especially in developing countries."

people should start thinking about consumer protection for internet services and internet connected devices. Minimum security standards for products brought to market should be just one aspect of this.