[jakobson14]

Apollo was a scramble to get the absolute minimum tin can to the moon as fast as possible which wouldn't kill the 2-3 men inside it. Building anything secure is a detail-oriented endeavour. It is not solvable with a moonshot.

The question I have for cisco is: why are these special features for resisting cyberattack not standard on EVERY router?

[peblos]

“Cisco’s response involved shipping a large order of modified equipment, specifically designed to maintain accurate time even under radio jamming conditions.”

Probably not something most Cisco customers need or want

[jakobson14]

Read the article in full.

Timekeeping upgrades and cold-weather functionality are the flashy headlines that are easy to explain to the masses, but there's plenty in there about russian cyberattacks too. Russia has been attacking ukrane's infra over the internet for over a decade now.

[sgift]

Well, as usual, the answer is a mix of cost and usability. I don't know if people outside of Germany remember it, but there was a big splash when it came out the NSA hacked Merkels phone. Our chancellor! Why doesn't she have a secure phone?! What do our security authorities even do?! Well, the thing is .. she had one. And it probably wasn't hacked. But the usability of these secure phone is so bad (one common thing is that everyone needs one, which has to be compatible with each other) that she usually just used the phone that her party gave her (she was also the head of the party), which was a normal smartphone and the NSA hacked this one.

Same goes for switches etc. There are no real standards, everyone does a bit of their own thing, so you have a bunch of incompatibility. Then you need to configure them special, which takes more time and effort and so on.

And, at the end of the day, there's always the matter of cost. Resisting cyber attacks means probably different chips, which are safe according to e.g. https://en.wikipedia.org/wiki/Tempest_(codename), and the software has to be checked extra and programmed to different standards. Someone has to pay for this, simple as that.

Also, if you are not the US, the US will probably want to have a say in whether Cisco can sell you such machines. Same goes for other companies and their countries.

[Veserv]

No, these systems are not secure in any configuration. There are exactly zero large scale commercial IT companies that can deploy systems that can protect against commercially-motivated criminal attackers let alone well-funded intelligence agencies. These companies do not have any super secret secure smartphones, or super secret secure routers, or super secret secure configurations. They are all just plain easily hacked, routinely get hacked, and the government agencies and companies using them get ransacked regularly.

Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems. They have no knowledge or expertise in that field and for their employees to develop that knowledge would take both prioritization and years to decades of learning and experimentation.

[marcus0x62]

There aren’t any systems that are “secure” or “not secure” in the abstract anywhere in existence. Every system has strengths and weaknesses and is suitable for some purposes and not others, depending on your threat model.

It is perfectly possible to use products from each of the vendors you mentioned to build a high assurance system. It depends on what you build, how you configure it, and what threats you are trying to protect against.

The non-commercial/open source world isn’t exactly a bastion of impeccable security practice, either. You can counter every Solar Winds or Double Pulsar anecdote with a Heartbleed or Log4J anecdote.

But, if you look behind the headlines of every major breach, for every 1 company that got popped by a zero-day, 99 got popped by either social engineering or improper configuration/outdated software.

Why do they have poor configs and outdated software? They’re short-staffed and can’t make changes due to fear of outages. That’s a business culture problem, not a technology problem.

> Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems. They have no knowledge or expertise in that field and for their employees to develop that knowledge would take both prioritization and years to decades of learning and experimentation.

Each of these vendors employs many widely known and respected security researchers. I’ll grant their product teams can be hit or miss, but to say they have no security expertise at all is just false.

[Veserv]

Yeah, great, name one actual high assurance system any of those vendors have actually deployed or that anybody has ever deployed using those products. Something that can protect against something simple like a team of 10 FTEs for 3 elapsed years and a competent audit verifying that where their system is actually integral to the security properties of the system. None of this, I heard from a friend of a friend that their internal security is super awesome, but they have no evidence of it and none of their team would ever claim it in public.

Now you are probably going to say something like 30 FTE-years is too much. That is only like 10 M$. That is less than the ransom Caesars Palace paid out, which is a pittance compared to how much they would be willing to pay out to avoid disruption. Being unable to make such a attack unprofitable means your security is inadequate to defend medium to large sized companies who are routinely attacked by commercial-motivated hackers. Let alone systems with actual high assurance requirements like fighter jets where multi-billion dollar attacks are more cost-effective than the missiles otherwise needed.

The unary thinking where systems are all "not secure" and thus it does not matter whether it actually works against the commercially-motivated criminal hackers who will target your systems is tiresome. "More" or "less" security does not matter, "adequate" security that protects against the current and predictable future threat landscape of commercially-motivated hackers with multi-million dollar budgets who can get multi-million dollar payouts is what matters and these companies do not reach even that basic bar.

These widely known and respected security researchers have never made any system that can protect against the modern threat landscape of commercially-motivated criminals let alone state actors. For that matter, most of them probably think that is just impossible. Excuse me if I think they have no meaningful security expertise given that they have never actually secured a system against standard attacks. They do hire some pretty good offensive researchers, but that has about as much to do with security expertise as gunmaker expertise has to do with bulletproof vest expertise.

[jakobson14]

You are vastly over-estimating the competence of both cisco and the russian hackers

https://www.csoonline.com/article/656427/over-40000-cisco-de...

[peblos]

That's true but reading the article in full (again), nowhere does it say what other special features have been added that other companies might require

Even in the referenced article from The Register there’s no mention. Lots more context of the types of threats being faced, but no additional features beyond time keeping and better reliability at low temperature.

[whatshisface]

The absolute minimum tin that delivered three people to the moon and return them safely to Earth could have been destroyed by a fault in almost any of its innumerable subsystems and components. It was very much a detail-oriented endeavor and set the standard for unit and integration testing for decades, maybe even up through the present.

[thedaly]

In regards to this specific case, because it is expensive and unnecessary.

Cisco’s response involved shipping a large order of modified equipment, specifically designed to maintain accurate time even under radio jamming conditions. This solution employs the Cisco Industrial Ethernet switch with an internal crystal oscillator, enabling new clock recovery algorithms for accurate timekeeping when GPS is unavailable.

These modified versions of the Cisco Industrial Ethernet 5000 series switches, tested and stress-tested in Cisco’s Austin, Texas lab, were sent to Ukrenergo. The project, which cost around $1 million, was supported by the Pentagon, the U.S. Department of Energy, and the Department of Commerce in terms of logistics and coordination. Cisco provided the equipment free of charge.

[jakobson14]

Read the article again, or better yet do a ctrl-f for the word "cyber"

https://www.csoonline.com/article/656427/over-40000-cisco-de...

With how shit cisco's security is and how badly they're having their ass handed to them, you'd think they could roll out any cybersecurity "hardening" in their special ukraniuan firmware to other models.

[thedaly]

Read my comment again. I wasn't making any claims outside of the fact that it would be expensive and unnecessary to implement anti-gps blocking features unless you expect to experience GPS blocking.

[marcus0x62]

So you want to pay for a high accuracy local time source in every single Ethernet switch and router and wireless controller…in case the Russians disrupt GPS over one of your locations?

Most Cisco customers:

1) Do not directly use a GPS time clock in their network. They use an NTP-based source that is ultimately timed by someone else’s GPS clock.

2) Do not want to pay for extra hardware they will not use

3) Do not need their network equipment certified to -34C, or want to pay for a device that would work in such conditions.

[jakobson14]

Read the article again, or better yet do a ctrl-f for the word "cyber"

https://www.csoonline.com/article/656427/over-40000-cisco-de...

With how shit cisco's security is and how badly they're having their ass handed to them, you'd think they could roll out any cybersecurity "hardening" in their special ukraniuan firmware to other models.

[marcus0x62]

I read it. But given your response, I think you didn't. There are two, and only two, specific mitigations mentioned in the article: high accuracy local time sources and low temperature certification. If you think you read about something else, feel free to quote it in reply, but we both know that isn't going to happen because it doesn't exist.

If you think, based on the article, that Cisco shipped private security mitigations to Ukraine apart from the timekeeping algorithm, that's something you have hallucinated out of whole cloth. There is no basis for it in the linked article, and it has no precedent anywhere in their 38 year history as a company.

Also, you managed to spell "Ukrainian" incorrectly and link to an article that 404s. Good job, or something.

[asynchronous]

That’s the right question about Cisco you should be asking.

[twelve40]

> resisting cyberattack

What cyberattack uses GPS jamming? This is just dumb journos trying to spice up the article. The Register's article says this is a side effect from trying to jam missile guidance systems. Probably by their own EW systems while defending from a missile or a shahed strike.