[Veserv]

So you can not even point to any independently verifiable systems or even evidence that supports your claim that products from those vendors can be used to make high assurance systems. In the entire world, not even a single one.

But, despite the fact that every competent offensive software specialist claims that everything is easily hacked and demonstrate that repeatedly on the software made by the giant commercial IT vendors, we should just take it on faith that those same vendors can totally make high assurance systems even though they have failed every time they tried in the past, but this time for sure they figured it out.

[marcus0x62]

> So you can not even point to any independently verifiable systems or even evidence that supports your claim that products from those vendors can be used to make high assurance systems.

Sure, buddy. I'll get right on that. Right after you provide some evidence for the claims you kicked this thread off with:

> There are exactly zero large scale commercial IT companies that can deploy systems that can protect against commercially-motivated criminal attackers let alone well-funded intelligence agencies.

> Companies such as Cisco, Microsoft, Apple, etc. are just systemically incapable of deploying or even developing secure systems.

Please note: pointing to individual incidents of products from these companies getting compromised isn't evidence that no products from these companies can be used in any way to make a high assurance system. Particularly if the incident in question was a result of a user-misconfiguration of the product in question. Neither is hand-wavy claims that "competent offensive software specialist" claim that "everything is easily hacked".

[Veserv]

The default assumption is not “everything is unhackable”. The burden of proof is on you/vendors to prove that a vendor can protect against commercial hackers.

What, are we just supposed to assume that their product works until a exhaustive third-party analysis with no access to the design proves it is mathematically impossible otherwise. Can I also claim I have a faster-than-light drive and you have to believe me until you can prove otherwise even if I have never demonstrated it actually going FTL? That is a totally ridiculous position.

But since you want some evidence. Not a single one of those companies has ever once been able to achieve a EAL5 or higher certification for their software which indicates “resistance to penetration attackers with a moderate attack potential”. They have tried numerous times for their headline products in the past and present and have at most been able to achieve EAL4 for locked down configurations the vendors personally implemented which is only adequate for “assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security“.

This is certification standard they are legally required to certify against to sell to the US government and which is advertised, sometimes exclusively, on all of their security pages. All of those companies have tried and failed to achieve higher certification levels for literal decades over tens of software versions and billions of dollars spent.

So yeah, your turn. Find one single counterexample. If you can not even find one measly verified/certified example of what you said in the entire world, I think I have proved my point to anybody still reading this.

If you are going to just keep hemming and hawing or post a unverified or useless certification do not bother to respond, that will just look bad for you.

[marcus0x62]

I see no reason to continue this conversation. All you're doing is deflecting, moving the goal posts and making stuff up (lacking EAL5 certification isn't proof these products are bad and there is ZERO evidence Microsoft, et. al. have spent $1 let alone "billions" of dollars in any failed attempts to get EAL5 certification.)

> If you are going to just keep hemming and hawing or post an unverified or useless certification do not bother to respond, that will just look bad for you.

LOL.