Get Rid of Back Doors, Don't Obsess Over Bounties and Other Corporate PR Stunts (or Needless Reboot Rituals)
Security as a term has mostly lost its meaning due to repeated misuse for many years. Jessica Lyons recently explained how back doors got framed as a Chinese attack; maybe just don't put back doors in there to begin with? No? Too much to ask for?
What is a lot of modern "security" (gimmicks) anyway?
It is not genuine security but some "security product" (or appliance or service) that is proprietary, opaque and itself contains - hence adds even more - security holes, right?
Keep "buying" (licensing) or "subscribing" to our snake-oil, say the peddlers.
Paper pushers who call themselves managers meet "compliance requirements" by signing some contracts without actually improving anything at a technical level.
Consider the new article, "Submit ransomware intel, earn up to $10k from new program" by Jessica Lyons at The Register (she's quite in-depth by the way, no shallow parroting of GAFAM claims).
As associate who read her article said that the money would be more effective if spent on migration away from Windows (back doors at many levels). "It's not altruistic," Lyons notes. "The bulk of the ransomware info being submitted will go to improve Halcyon's anti-ransomware engine, rather than automatically ending up in a publicly available database for all network defenders to freely access."
Yes, Halcyon (there are several companies with that name, hence a bit hard to keep track).
Selling "security" is like selling "hey hi" (AI). It's just some buzzword these days and last year, in a public talk, Richard Stallman openly complained about both.
We're seeing a lot of shallow articles about security not every day but many times each day, even on holidays and during weekends. Here's a shallow new article entitled "Severance: what the hit show can teach us about cyber security and human risk" by Oli Buckley ("Professor in Cyber Security, Loughborough University"; he's no Ross Anderson). Recall Why We Can't Teach Cybersecurity by Dr. Andy Farnell. Buckley's article is sci-fi nonsense and there's also a comment there to the same effect (only one comment). To quote:
As someone who has researched insider threats for the last decade I can’t help but see Severance as a cautionary tale of what happens when we try to eliminate threats without understanding people.
If he "researched insider threats for the last decade", then he'd know that insider threats, such as leakers or rogue staff, aren't a matter of computer security. They're a staffing issue. It's also about non-digital practices (e.g. physical access and physical devices going in and out; remember what Edward Snowden did).
However the more worrying piece that I saw today was "Android Improves Its Security" by Bruce "Schneier on Security", linking to GAFAM megaphones and some such; oh, dear! If we pursue real security, should we not start by not having Google at all? It is doable by the way, and moreover it changes the attack surface through system diversity (no predictable or uniform way to exploit stack overflows for instance).
Schneier basically subscribes to nonsense, just because some article he saw online said something.
It basically seems like Google is now adopting the Microsoft Doctrine - something along the lines of just reboot, reboot, reboot as "security". It's really lame and the EFF's (Board) Schneier whistles along like all security boils down to is lots of reboots while Google works for the NSA and reportedly lets the FBI have remote microphone access (for about a decade already, the credible source being WSJ).
A friend has called it voodoo and superstition in place of actual procedures and methods, linking to this reminder about the origins of ctrl-alt-del (typically reboot, even today): ""I may have invented it, but Bill made it famous," Bradley said in an interview previously, leaving Bill Gates looking rather awkward. To this day the combination still exists..."
Apparently security now means devices "reboot themselves after sitting unused for 3 days", or to quote the body of Conde Nast's shallow piece:
A silent update rolling out to virtually all Android devices will make your phone more secure, and all you have to do is not touch it for a few days. The new feature implements auto-restart of a locked device, which will make your personal data harder to extract. It's coming as part of a Google Play Services update, though, so there's nothing you can do to speed along the process.
Seems like utter nonsense or really terrible design made to harvest data, not protect the device's carrier. Google is still in control of the process and as a public sponsor of Donald Trump we can assume he and his rogue agencies/enablers get access to all the data too. They can access cameras, microphones etc.
It should be noted that about a decade ago we saw dragnet surveillance wherein everyone possessing an Android device within some "suspicious" radius got subjected to 'deep state' scrutiny. How's that for security? Feeling safe now? Being one in 10,000 or so people flagged as "suspects" for merely dragging some Android 'phone' into the 'wrong' radius?
A friend spoke of "multiple dragnets. There were several stories about that lately."
This is becoming the norm.
It should not. But it does.
OK, whatever. "I'm addicted to my phone!"
But don't worry, this is all about security. Google is totally all about security because it runs PR events and stunts with monetary bounties (less than 0.001% of its revenue).
According to Google, all one needs for security is frequent reboots! Problem solved.
This is the uptime on my main laptop right now:
roy@vonick:~$ uptime 15:53:37 up 561 days, 21:38, 39 users, load average: 0.90, 0.77, 0.66
And the secondary laptop right now:
roy@bubi:~$ uptime 15:54:12 up 496 days, 7:06, 3 users, load average: 7.48, 7.27, 7.18
Just because I haven't rebooted since 2023 does not mean I'm at a high risk level; both are isolated from the Net for the most part, over almost all ports, and nevertheless they do get updated. The Microsoft media - and ridiculous LLM slop that follows/echoes it - wants people to think that because you can download malware from Microsoft it means that OpenSSH and Linux are dangerous. It's not just awkward logic but sheer dishonesty and malicious spin [1, 2].
Cybersecurity is now a resistance movement by Dr. Farnell is his latest article, which speaks a bit about politics. We'll leave politics out of it here. Those issues (like security) ought not be "partisan". They affect everybody similarly.
Farnell, like Ross Anderson, values real security. To quote what Farnell wrote about Anderson earlier this month: "Ross was not liked by the university to which he devoted his life. The fact is they wanted rid of him by forced retirement. At an institution taking funding from Elon Musk and some morally questionable technology organisations, Ross ruffled feathers with his plain integrity. He was not, however, an "activist" - which made the integrity all the more galling for some. [...] Ross gave his time and attention to people. But he did not do so indiscriminately, and I therefore suspect something even more profound; that Ross eschewed status - a heresy and remarkable position to hold in a place like Cambridge University. Many recounted lengthy, deep email exchanges with Ross, even if they felt like a "lowly nobody" or academic "outsider", as was my own experience. [...] Inevitably politics was in the air. Though students spoke highly of Cambridge University's inclusion improvements, diversity and LGBTQ+ society, expressing feelings of being able to "be themselves", some noticed it still falls short of reflecting the real makeup of the UK and it's neither race nor underlying class issues which still require attention but more complex problems of representatively including all mindsets. The questions remain; Security for who? Security from whom or what? Security to what end? [...] We know from so many comments that Ross was uncomfortable with and challenged the sources of research funding. We noticed a lack of willingness from the UK academics to talk about issues with Big Tech and the unfolding US situation, something that the US academics were surprisingly happy to discuss. Research funding from UK government and charities has been in decline since 2010 and while our government have the facility, equipment and talent to really lead in cybersecurity and AI, instead we take donations from SpaceX and the like to build the AI centre. This leads to biased research. That said, it seems Cambridge last took funding from them in 2015, 10 years ago now, and have since distanced themselves from Musk especially in the last year. Cambridge University Press even published a paper last year about Musk pushing academics off Twitter."
Lots more in there. Don't bother with corporate media (such as the Jeff Bezos-owned "journal of record") if you want to understand real security. As a part of GAFAM and sponsor of the Cheeto/MElon regime, Bezos wants back doors, not security. He values only his own privacy, as does Bill Gates. █