1. 57
  1. 11

    Great article. A few minor points:

    “How did the Capital One + AWS hack happen”

    They didn’t care enough to make it a policy to spend money on mitigations and practices that consistently work across known classes of attacks. Aka they didn’t care about it. They figured they’d litigate it, it wouldn’t cost much, it would happen to the next CEO/CIO, etc.

    “It shouldn’t, in short, be on the Internet. On the other hand, properly authorized users, who are on the Internet, would like to be able to reach it from anywhere. Because requiring all the employees to come to an office location to do their jobs (“physical security”) seems kinda obsolete. That leaves us with a conundrum, doesn’t it? Wouldn’t it be nice though? “

    High-assurance guards w/ VPN’s, link encryptors, and/or leased lines running separation architectures using older nodes and designs for untrusted interface to beat the hardware vulnerabilities. DiamondTek LAN built them into PCI cards w/ Ethernet ports. Today, it could be an on-board chip connecting the external interface. Such architectures been doing great in NSA and DOD pentesting for decades. It’s what they use internally for TS/SCI at many sensitive sites.

    Alternatively, simple hardware running OpenBSD on embedded box in front of (device/service here) mediating it according to (policy here) with mediation done memory-safe w/ input validation and fuzzing. That’s the cheapest solution that should stop most attackers. Also, throw them a donation if you do it.

    EDIT: “ the horrors of IPv6, “

    On Twitter, apenwarr also said:

    “I had a connectivity problem, so I enabled IPv6. Now I have two connectivity problems.”


    1. 6

      Some quotable stuff in here:

      • « Hospital staff are like the Internet of Bacteria. »
      • « AWS is bananas, and AWS permission bug exploits are banana fungus. »
      1. 4

        a network, but not the Internet. One that isn’t reachable from the Internet, or even addressable on the Internet. One that uses the Internet as a substrate, but not as a banana.

        So… uh… a (possibly mesh) VPN? Looking at tailscale.io, it says “zero-trust networking” and “End-to-Endpoint Network Security” which sounds cool and not like a VPN. What a mysterious project. Zero-trust networking actually is related to making everything addressable on the Internet, which makes it even more confusing.

        1. 1

          Yeah, I’m quite confused by what tailscale is supposed to be. Or how it wouldn’t be vulnerable to the same issues, should it become popular itself.

        2. 4

          I feel like I just read an ad that refused to tell me what product it’s trying to sell me.