[Veserv]

No, these systems are not secure in any configuration. There are exactly zero large scale commercial IT companies that can deploy systems that can protect against commercially-motivated criminal attackers let alone well-funded intelligence agencies. These companies do not have any super secret secure smartphones, or super secret secure routers, or super secret secure configurations. They are all just plain easily hacked, routinely get hacked, and the government agencies and companies using them get ransacked regularly.

Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems. They have no knowledge or expertise in that field and for their employees to develop that knowledge would take both prioritization and years to decades of learning and experimentation.

[marcus0x62]

There aren’t any systems that are “secure” or “not secure” in the abstract anywhere in existence. Every system has strengths and weaknesses and is suitable for some purposes and not others, depending on your threat model.

It is perfectly possible to use products from each of the vendors you mentioned to build a high assurance system. It depends on what you build, how you configure it, and what threats you are trying to protect against.

The non-commercial/open source world isn’t exactly a bastion of impeccable security practice, either. You can counter every Solar Winds or Double Pulsar anecdote with a Heartbleed or Log4J anecdote.

But, if you look behind the headlines of every major breach, for every 1 company that got popped by a zero-day, 99 got popped by either social engineering or improper configuration/outdated software.

Why do they have poor configs and outdated software? They’re short-staffed and can’t make changes due to fear of outages. That’s a business culture problem, not a technology problem.

> Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems. They have no knowledge or expertise in that field and for their employees to develop that knowledge would take both prioritization and years to decades of learning and experimentation.

Each of these vendors employs many widely known and respected security researchers. I’ll grant their product teams can be hit or miss, but to say they have no security expertise at all is just false.

[Veserv]

Yeah, great, name one actual high assurance system any of those vendors have actually deployed or that anybody has ever deployed using those products. Something that can protect against something simple like a team of 10 FTEs for 3 elapsed years and a competent audit verifying that where their system is actually integral to the security properties of the system. None of this, I heard from a friend of a friend that their internal security is super awesome, but they have no evidence of it and none of their team would ever claim it in public.

Now you are probably going to say something like 30 FTE-years is too much. That is only like 10 M$. That is less than the ransom Caesars Palace paid out, which is a pittance compared to how much they would be willing to pay out to avoid disruption. Being unable to make such a attack unprofitable means your security is inadequate to defend medium to large sized companies who are routinely attacked by commercial-motivated hackers. Let alone systems with actual high assurance requirements like fighter jets where multi-billion dollar attacks are more cost-effective than the missiles otherwise needed.

The unary thinking where systems are all "not secure" and thus it does not matter whether it actually works against the commercially-motivated criminal hackers who will target your systems is tiresome. "More" or "less" security does not matter, "adequate" security that protects against the current and predictable future threat landscape of commercially-motivated hackers with multi-million dollar budgets who can get multi-million dollar payouts is what matters and these companies do not reach even that basic bar.

These widely known and respected security researchers have never made any system that can protect against the modern threat landscape of commercially-motivated criminals let alone state actors. For that matter, most of them probably think that is just impossible. Excuse me if I think they have no meaningful security expertise given that they have never actually secured a system against standard attacks. They do hire some pretty good offensive researchers, but that has about as much to do with security expertise as gunmaker expertise has to do with bulletproof vest expertise.

[marcus0x62]

That's a lot of word salad for "I'm angry, but I don't know what I'm talking about."

[Veserv]

So you can not even point to any independently verifiable systems or even evidence that supports your claim that products from those vendors can be used to make high assurance systems. In the entire world, not even a single one.

But, despite the fact that every competent offensive software specialist claims that everything is easily hacked and demonstrate that repeatedly on the software made by the giant commercial IT vendors, we should just take it on faith that those same vendors can totally make high assurance systems even though they have failed every time they tried in the past, but this time for sure they figured it out.

[marcus0x62]

> So you can not even point to any independently verifiable systems or even evidence that supports your claim that products from those vendors can be used to make high assurance systems.

Sure, buddy. I'll get right on that. Right after you provide some evidence for the claims you kicked this thread off with:

> There are exactly zero large scale commercial IT companies that can deploy systems that can protect against commercially-motivated criminal attackers let alone well-funded intelligence agencies.

> Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems.

Please note: pointing to individual incidents of products from these companies getting compromised isn't evidence that no products from these companies can be used in any way to make a high assurance system. Particularly if the incident in question was a result of a user-misconfiguration of the product in question. Neither is hand-wavy claims that "competent offensive software specialist" claim that "everything is easily hacked".

[Veserv]

The default assumption is not “everything is unhackable”. The burden of proof is on you/vendors to prove that a vendor can protect against commercial hackers.

What, are we just supposed to assume that their product works until a exhaustive third-party analysis with no access to the design proves it is mathematically impossible otherwise. Can I also claim I have a faster-than-light drive and you have to believe me until you can prove otherwise even if I have never demonstrated it actually going FTL? That is a totally ridiculous position.

But since you want some evidence. Not a single one of those companies has ever once been able to achieve a EAL5 or higher certification for their software which indicates “resistance to penetration attackers with a moderate attack potential”. They have tried numerous times for their headline products in the past and present and have at most been able to achieve EAL4 for locked down configurations the vendors personally implemented which is only adequate for “assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security“.

This is certification standard they are legally required to certify against to sell to the US government and which is advertised, sometimes exclusively, on all of their security pages. All of those companies have tried and failed to achieve higher certification levels for literal decades over tens of software versions and billions of dollars spent.

So yeah, your turn. Find one single counterexample. If you can not even find one measly verified/certified example of what you said in the entire world, I think I have proved my point to anybody still reading this.

If you are going to just keep hemming and hawing or post a unverified or useless certification do not bother to respond, that will just look bad for you.