Whenever I read articles from "security experts", I cringe over how they keep relying on probability and computational complexity rather than proven methods that cannot be broken given infinite time and resources. Server admins keep SSH open to the internet just because they might need it when working from home some time, didn't have time to write a custom protocol or just hope that nobody borrowing their computer will steal their password-less SSH key, yet everyone's surprised when hackers found yet another backdoor into the system.
IoT is just a plague of idIoT devices where anyone can get root access to security cameras and such, by just trying a few common default passwords. Most chat applications boast about how hard their security is, yet in a few seconds I can log into my account from a different device without even being asked for my password. Even accidentally logged into my bank without being asked for my password (due to a bug that they have now patched). I keep my payment card in aluminium foil because turning off NFC payments don't stop skimmers from making a full copy remotely before making a regular purchase.
So much focus on authentication rather than privilege, minimalism and attack vectors
Why don't we have dedicated hardware with proven correctness for common server protocols to prevent instant erasure of file history? Even if someone gains access, there should be limits to what an administrator can do remotely, so that hackers cannot cover their tracks, encrypt the content or overwrite the server's operating system. If hardware needs patching, just use an FPGA.
We had unbeakable encryptions for many years, so no need to wait for mainstream quantum connections
Why don't companies give their employees unique read-protected microchips with unbreakable single-use 256GB true random symmetrical keys (that can be flashed at the office when consumed) instead of weak passwords (less than 120 random characters) or easily stolen SSH keys (from which enough quantum computing power can reveal the passphrase)?
IoT is just a plague of idIoT devices where anyone can get root access to security cameras and such, by just trying a few common default passwords. Most chat applications boast about how hard their security is, yet in a few seconds I can log into my account from a different device without even being asked for my password. Even accidentally logged into my bank without being asked for my password (due to a bug that they have now patched). I keep my payment card in aluminium foil because turning off NFC payments don't stop skimmers from making a full copy remotely before making a regular purchase.
So much focus on authentication rather than privilege, minimalism and attack vectors
Why don't we have dedicated hardware with proven correctness for common server protocols to prevent instant erasure of file history? Even if someone gains access, there should be limits to what an administrator can do remotely, so that hackers cannot cover their tracks, encrypt the content or overwrite the server's operating system. If hardware needs patching, just use an FPGA.
We had unbeakable encryptions for many years, so no need to wait for mainstream quantum connections
Why don't companies give their employees unique read-protected microchips with unbreakable single-use 256GB true random symmetrical keys (that can be flashed at the office when consumed) instead of weak passwords (less than 120 random characters) or easily stolen SSH keys (from which enough quantum computing power can reveal the passphrase)?
Edited by Dawoodoz
on
I also cringe when "programming experts" claim that 32-bit code runs on 64-bit windows something like 50x slower because it is "emulated". Or that blitting image in Windows to screen with gdi is more than 10x slower than on Linux with x11.
I don't claim to be a security expert (just University education in computer communication and RSA encryption), but I don't feel comfortable with the current state of not having any security at all while companies lie about keeping us secure. I know that the strength of a password goes up exponentially with the length, but breakable is still breakable and therefore a known unpatched security hole.
Edited by Dawoodoz
on
notnullnotvoid
When I see a Dunning-Kruger demonstration post from someone who obviously doesn't understand basic computer security at all, but boldly puts scare-quotes around "security experts" when referring to people who actually do know things, I cringe too. So, I imagine the feeling is mutual.
If you know a better way to improve security then I'm eagerly listening.
I'm not trying to address the general point of the post. Just a couple of comments.
If you don't plan on doing contactless payments, you can just cut the antenna on your card. Depending on the material, you can see the traces by shining a powerful enough flashlight from its back.
That reminds me of this article. That whole blog is quite entertaining.
Dawoodoz
I keep my payment card in aluminium foil because turning off NFC payments don't stop skimmers from making a full copy remotely before making a regular purchase.
If you don't plan on doing contactless payments, you can just cut the antenna on your card. Depending on the material, you can see the traces by shining a powerful enough flashlight from its back.
Dawoodoz
Even if someone gains access, there should be limits to what an administrator can do remotely, so that hackers cannot cover their tracks [...]
That reminds me of this article. That whole blog is quite entertaining.
debiatan
I'm not trying to address the general point of the post. Just a couple of comments.Dawoodoz
I keep my payment card in aluminium foil because turning off NFC payments don't stop skimmers from making a full copy remotely before making a regular purchase.
If you don't plan on doing contactless payments, you can just cut the antenna on your card. Depending on the material, you can see the traces by shining a powerful enough flashlight from its back.
I tried doing that, but worried that it would still have enough signal from the remaining stump if someone used an amplifier at close range. I resorted to grinding the chip into a thin powder stored in an airtight metal container blocking radio waves. Then I wrote down the information for online purchases. I have a secret language of hieroglyphs for doing the symmetrical encryption in my head, which can then store codes as a puzzle on multiple hidden paper notes. Many household items can be unscrewed to hide notes. Anyone finding all pieces must then understand both obscure historic references and Chinese symbolism before they can attempt to break my Autistic code. After a while, the bank refused to let me take out cash from their office and I had to buy a new card to wrap in tinfoil after disabling NFC payments.