[Veserv]

We do see constant exploitation of government and critical infrastructure systems. The US telecom network is literally actively compromised right now and has been for multiple years [1]. Like wishful thinking, ignorance is also not a valid argument.

It is frankly baffling that I even need to argue that COTS operating systems are easily hacked by governments and commercial hackers. It literally happens every day and not a single one of those companies or organizations even attempts to claim that they can protect against such threats. Government actors are literally what these companies peddling substandard security use to argue "nothing we could do". It has been literal decades of people trying to make systems secure against government actors and failing time and time again with no evidence of success.

I mean, seriously, go to Defcon and say that nobody there with a team of 5 people with 3 years (~10 M$, a single tank) could breach your commercially useful and functional Linux or Windows deployment and you are putting up a 10 M$ bounty to prove it. I guarantee they will laugh at you and then you will get your shit kicked in.

[1] https://en.wikipedia.org/wiki/Salt_Typhoon

[indolering]

Everything thinks of Defcon et al a a gathering of elite hackers. But it's more of a fucking drinking game.

The depressing fact is that you don't need an RCE to accomplish most goals.

[Veserv]

I am aware. I was making a concrete example pointing at a well known conference where average industry professionals would find the very concept of these systems being secure to be laughable.

Somehow we have ended up in this bizarro land where everybody in software knows software, especially COTS operating systems, is horribly insecure due to the endless embarrassing failures yet somehow they also doublethink these systems must be secure.

[indolering]

I was agreeing with you! It's a drinking game because the infosec field is laughable. Who needs a zero day RCE when the president is using an EOL Samsung?