[sgift]

Well, as usual, the answer is a mix of cost and usability. I don't know if people outside of Germany remember it, but there was a big splash when it came out the NSA hacked Merkels phone. Our chancellor! Why doesn't she have a secure phone?! What do our security authorities even do?! Well, the thing is .. she had one. And it probably wasn't hacked. But the usability of these secure phone is so bad (one common thing is that everyone needs one, which has to be compatible with each other) that she usually just used the phone that her party gave her (she was also the head of the party), which was a normal smartphone and the NSA hacked this one.

Same goes for switches etc. There are no real standards, everyone does a bit of their own thing, so you have a bunch of incompatibility. Then you need to configure them special, which takes more time and effort and so on.

And, at the end of the day, there's always the matter of cost. Resisting cyber attacks means probably different chips, which are safe according to e.g. https://en.wikipedia.org/wiki/Tempest_(codename), and the software has to be checked extra and programmed to different standards. Someone has to pay for this, simple as that.

Also, if you are not the US, the US will probably want to have a say in whether Cisco can sell you such machines. Same goes for other companies and their countries.

[Veserv]

No, these systems are not secure in any configuration. There are exactly zero large scale commercial IT companies that can deploy systems that can protect against commercially-motivated criminal attackers let alone well-funded intelligence agencies. These companies do not have any super secret secure smartphones, or super secret secure routers, or super secret secure configurations. They are all just plain easily hacked, routinely get hacked, and the government agencies and companies using them get ransacked regularly.

Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems. They have no knowledge or expertise in that field and for their employees to develop that knowledge would take both prioritization and years to decades of learning and experimentation.

[marcus0x62]

There aren’t any systems that are “secure” or “not secure” in the abstract anywhere in existence. Every system has strengths and weaknesses and is suitable for some purposes and not others, depending on your threat model.

It is perfectly possible to use products from each of the vendors you mentioned to build a high assurance system. It depends on what you build, how you configure it, and what threats you are trying to protect against.

The non-commercial/open source world isn’t exactly a bastion of impeccable security practice, either. You can counter every Solar Winds or Double Pulsar anecdote with a Heartbleed or Log4J anecdote.

But, if you look behind the headlines of every major breach, for every 1 company that got popped by a zero-day, 99 got popped by either social engineering or improper configuration/outdated software.

Why do they have poor configs and outdated software? They’re short-staffed and can’t make changes due to fear of outages. That’s a business culture problem, not a technology problem.

> Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems. They have no knowledge or expertise in that field and for their employees to develop that knowledge would take both prioritization and years to decades of learning and experimentation.

Each of these vendors employs many widely known and respected security researchers. I’ll grant their product teams can be hit or miss, but to say they have no security expertise at all is just false.

[Veserv]

Yeah, great, name one actual high assurance system any of those vendors have actually deployed or that anybody has ever deployed using those products. Something that can protect against something simple like a team of 10 FTEs for 3 elapsed years and a competent audit verifying that where their system is actually integral to the security properties of the system. None of this, I heard from a friend of a friend that their internal security is super awesome, but they have no evidence of it and none of their team would ever claim it in public.

Now you are probably going to say something like 30 FTE-years is too much. That is only like 10 M$. That is less than the ransom Caesars Palace paid out, which is a pittance compared to how much they would be willing to pay out to avoid disruption. Being unable to make such a attack unprofitable means your security is inadequate to defend medium to large sized companies who are routinely attacked by commercial-motivated hackers. Let alone systems with actual high assurance requirements like fighter jets where multi-billion dollar attacks are more cost-effective than the missiles otherwise needed.

The unary thinking where systems are all "not secure" and thus it does not matter whether it actually works against the commercially-motivated criminal hackers who will target your systems is tiresome. "More" or "less" security does not matter, "adequate" security that protects against the current and predictable future threat landscape of commercially-motivated hackers with multi-million dollar budgets who can get multi-million dollar payouts is what matters and these companies do not reach even that basic bar.

These widely known and respected security researchers have never made any system that can protect against the modern threat landscape of commercially-motivated criminals let alone state actors. For that matter, most of them probably think that is just impossible. Excuse me if I think they have no meaningful security expertise given that they have never actually secured a system against standard attacks. They do hire some pretty good offensive researchers, but that has about as much to do with security expertise as gunmaker expertise has to do with bulletproof vest expertise.

[marcus0x62]

That's a lot of word salad for "I'm angry, but I don't know what I'm talking about."

[Veserv]

So you can not even point to any independently verifiable systems or even evidence that supports your claim that products from those vendors can be used to make high assurance systems. In the entire world, not even a single one.

But, despite the fact that every competent offensive software specialist claims that everything is easily hacked and demonstrate that repeatedly on the software made by the giant commercial IT vendors, we should just take it on faith that those same vendors can totally make high assurance systems even though they have failed every time they tried in the past, but this time for sure they figured it out.

[marcus0x62]

> So you can not even point to any independently verifiable systems or even evidence that supports your claim that products from those vendors can be used to make high assurance systems.

Sure, buddy. I'll get right on that. Right after you provide some evidence for the claims you kicked this thread off with:

> There are exactly zero large scale commercial IT companies that can deploy systems that can protect against commercially-motivated criminal attackers let alone well-funded intelligence agencies.

> Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems.

Please note: pointing to individual incidents of products from these companies getting compromised isn't evidence that no products from these companies can be used in any way to make a high assurance system. Particularly if the incident in question was a result of a user-misconfiguration of the product in question. Neither is hand-wavy claims that "competent offensive software specialist" claim that "everything is easily hacked".

[jakobson14]

You are vastly over-estimating the competence of both cisco and the russian hackers

https://www.csoonline.com/article/656427/over-40000-cisco-de...