[Veserv]

You are claiming that every major OS is unhackable by governments. Can you point to literally any specific system that is demonstrably unhackable? Can you find literally anybody who would publicly claim their systems are unhackable by governments? Can you find literally anybody who would publicly claim that no competent team of 5 working for 3 years full-time (~1 tank worth of dollars, not even a basic company, just 1 tank) could not breach their systems? And that is just demonstrating for a single vendor, let alone your claim that it is true for everybody.

Your proof is that it would be really bad if everything were horribly insecure therefore it must not be true. Proof by wishful thinking has never been a valid argument.

In contrast, a few years ago I worked with a vulnerability broker who had literally hundreds of unsold zero-days with tens in each major commercial OS with zero-click RCEs only being a few million each. That is just one vendor in a sea of vulnerability brokers. That is the state of reality. We just live in the metaphorical equivalent of the pre-9/11 world where you can easily kill a lot of people by flying a plane into a building, but nobody has figured it out yet.

[SahAssar]

> You are claiming that every major OS is unhackable by governments.

I did no such thing. I claimed that it's implausible that every government can buy RCE for every OS.

[Veserv]

Yes you did, you said: "all governments using COTS OS for military/intelligence work" and then argued: "If your statement was even remotely true then why is this not used in conflicts to devastating effect?". You are clearly arguing that the operating systems they use, which you clearly admit are standard COTS operating systems, must be unhackable by other governments otherwise we would be seeing devastating effects (or at least require more than pocket change to a potential US adversary to attack, i.e. at least more than a single tank (~10 M$), at least more than a single fighter jet (~100 M$), probably at least more than a aircraft carrier (~1 G$) before not being pocket change).

[irundebian]

No, he didn't. Learn to discuss properly. OP stated that any government could get RCE for any OS. And that is highly unlikely, since budget above market rates does not imply that you can easily get RCEs. The market rates are high because there is scarcity of such vulnerabilites.

Governments using COTS operating systems does not imply that these systems are unackable. If the statement of OP would be true, we would just see constant exploitation of RCE zero days, or at the least the impact of that. But that is not the case.

[Veserv]

We do see constant exploitation of government and critical infrastructure systems. The US telecom network is literally actively compromised right now and has been for multiple years [1]. Like wishful thinking, ignorance is also not a valid argument.

It is frankly baffling that I even need to argue that COTS operating systems are easily hacked by governments and commercial hackers. It literally happens every day and not a single one of those companies or organizations even attempts to claim that they can protect against such threats. Government actors are literally what these companies peddling substandard security use to argue "nothing we could do". It has been literal decades of people trying to make systems secure against government actors and failing time and time again with no evidence of success.

I mean, seriously, go to Defcon and say that nobody there with a team of 5 people with 3 years (~10 M$, a single tank) could breach your commercially useful and functional Linux or Windows deployment and you are putting up a 10 M$ bounty to prove it. I guarantee they will laugh at you and then you will get your shit kicked in.

[1] https://en.wikipedia.org/wiki/Salt_Typhoon

[indolering]

Everything thinks of Defcon et al a a gathering of elite hackers. But it's more of a fucking drinking game.

The depressing fact is that you don't need an RCE to accomplish most goals.

[Veserv]

I am aware. I was making a concrete example pointing at a well known conference where average industry professionals would find the very concept of these systems being secure to be laughable.

Somehow we have ended up in this bizarro land where everybody in software knows software, especially COTS operating systems, is horribly insecure due to the endless embarrassing failures yet somehow they also doublethink these systems must be secure.