Overclock.net - An Overclocking Community - Reply to Topic

Thread: [PCM]Qualcomm Chip Bug Poses Risk to App Account Security Reply to Thread
Title:
Message:

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in


  Additional Options
Miscellaneous Options

  Topic Review (Newest First)
05-14-2019 11:34 AM
Avonosac
Quote: Originally Posted by xJumper View Post
We'll I can give you one example of where I decide it's best to "offload" to the grid. Email...

I tried the self-hosting thing. It was pain and I realized that for all the effort I put into it, I had a higher chance of messing up a config and getting myself owned vs the perceived threat that some bad actor at the VPS/hosting company might do something or have some kind of backdoor.

If a man and his computer can't keep himself safe, who can? Lol I guess I need to sign up for Azure.
More of your data is out there exposed _out_ of your hands than in your control on whatever servers you are running, that is the sad.. sad truth of it. You can't keep stuff on Google, FB, ehem.. Experian secure.
05-12-2019 08:29 PM
xJumper We'll I can give you one example of where I decide it's best to "offload" to the grid. Email...

I tried the self-hosting thing. It was pain and I realized that for all the effort I put into it, I had a higher chance of messing up a config and getting myself owned vs the perceived threat that some bad actor at the VPS/hosting company might do something or have some kind of backdoor.

If a man and his computer can't keep himself safe, who can? Lol I guess I need to sign up for Azure.
05-12-2019 02:23 PM
Avonosac
Quote: Originally Posted by xJumper View Post
It dosen't, the classic model is sort of an elitist stance, it looks at it only from a 2D perspective, the computer security part and assumes everyone will follow sysadmin level behavior.
I'm a recovering classic model believer, the reason I posted was to emphasize the fact that the classic model is still mostly best practice but doesn't even address the majority of your own attack surface. It's a model for a bygone reality, not an elitists stance - because it's literally attempting to assert security it can't deliver.

The thing that sucks about giving up the classic model is the realization that despite your knowledge you can't protect yourself. You were likely someone who generally was independent and savvy enough to create complex services for yourself and you took pride knowing you were able to do so securely. You now can set up these services, and even more complex ones but regardless of the effort you expend, you no longer are capable of keeping yourself safe. This is a real tough pill to swallow.


Quote: Originally Posted by xJumper View Post
I apply the model to myself but I'm well aware that the model wouldn't work for most people or a public business. Like I said it's an elitist stance.
Yea, like I said its still a good idea but unfortunately it doesn't work for you either.
05-11-2019 03:32 PM
xJumper
Quote: Originally Posted by Avonosac View Post
How does your classic security model help protect you when a customer service representative gives an attacker information which compromises a completely different service as a step in the chain? It doesn't.
It dosen't, the classic model is sort of an elitist stance, it looks at it only from a 2D perspective, the computer security part and assumes everyone will follow sysadmin level behavior.

Quote: Originally Posted by Avonosac View Post
I'm not pooh-poohing the model either, it remains generally good personal security practice. It is however extremely important to recognize that it's primary contribution to your security is now rooted firming in security by obscurity, rather than any actual inherent security properties.
I apply the model to myself but I'm well aware that the model wouldn't work for most people or a public business. Like I said it's an elitist stance.
05-09-2019 08:05 AM
Avonosac I'll point out one more thing, because you still want to believe the classic security model works somewhere and I honestly can't blame you because comforting lies are really comfortable. You aren't in control of most of your personal attack surface.

I appreciate you did want to learn as compared to the normal forum fare, so here's another chance. How does your classic security model help protect you when a customer service representative gives an attacker information which compromises a completely different service as a step in the chain? It doesn't.

Ultimately, the classic security model is mostly about good individual security practice but fails to address the whole surface. It's like installing a massive bank-safe door in your white picket fence to keep the neighbors kids off your lawn, sure the door might be impossible to get through but doesn't help much when you can go right around it.

I'm not pooh-poohing the model either, it remains generally good personal security practice. It is however extremely important to recognize that it's primary contribution to your security is now rooted firming in security by obscurity, rather than any actual inherent security properties.
05-08-2019 12:03 PM
xJumper
Quote: Originally Posted by dagget3450 View Post
I totally get where you are coming from(i think). I myself don't use my phone for anything but voice/txts. I don't pay any bills, surf web without addons, use social media or load any apps on it. So realistically i don't care if it somehow got hacked.
That's that classical security model I'm talking about. Where you have your mainframe (desktop machine at home) which is where you focus your security/hardening and your other devices out in the wild which you assume and operate under the pretext of them being compromised, no different than internet cafes, public networks, unknown hosts, etc. When you follow that model, many of these new "exploits" end up being trivial and don't effect you.

You have the businesses today that keep it simple, desktop work machines on every desk, POTS landlines and thats it, everything runs on the LAN/wired switches. Firewall set to default deny out, everyone goes home for the day, building is locked out and security patrols it, not too many ways to hack that business. Then you have the businesses that have PBX boxes, ip phones, cloud drives, mobile apps/company phones, e-portals, VPN's, VNC's, all sorts of special remote clients, etc. There's like a million attack vectors to that.

Quote: Originally Posted by dagget3450 View Post
Also refreshing to see someone admit they might be wrong, instead of mercilessly posts sticking to denial of others opinions or facts. (i've been guilty of that myself been trying to work on it though
Part of "knowing" is knowing when you don't know something. Old enough that I don't care about being "wrong" anymore or "losing" I'd rather just get to the right info.
05-07-2019 11:39 PM
dagget3450
Quote: Originally Posted by xJumper View Post
Alright I'll give it to you guys, it's an exploit and I'm wrong. Still not an exploit that would likely affect me and even if I did somehow get owned by it they wouldn't be able to take over my life as I got that strapped down and compartmentalized pretty damn well but yes it is an exploit.
I totally get where you are coming from(i think). I myself don't use my phone for anything but voice/txts. I don't pay any bills, surf web without addons, use social media or load any apps on it. So realistically i don't care if it somehow got hacked. That said i have so many family and friends who more or less have the phone surgically attached to their hands or body. In fact if it weren't for work i would prefer to just not even have one. Maybe i am old now, but i wouldn't have guessed 20 yrs ago that everyone would have a personal device they use to communicate to the world and every other possible aspect of life like dating/shopping etc..



Also refreshing to see someone admit they might be wrong, instead of mercilessly posts sticking to denial of others opinions or facts. (i've been guilty of that myself been trying to work on it though)
05-05-2019 04:09 PM
xJumper Alright I'll give it to you guys, it's an exploit and I'm wrong. Still not an exploit that would likely affect me and even if I did somehow get owned by it they wouldn't be able to take over my life as I got that strapped down and compartmentalized pretty damn well but yes it is an exploit.
05-05-2019 08:48 AM
Defoler
Quote: Originally Posted by xJumper View Post
I am a staunch defender of the classic computer security model, so to me "exploits" that rely on things like physical access, purposefully giving elevated privileges and other stuff we would consider a given or no-brainer as things you need to do or not do to have a secure system aren't held in the same light as traditional exploits.
This is where you do not understand computer security.

For example, the latest intel memory bug, can use a relatively simple exploit in the memory, remotely through site scripts, and once that is done, they can use a different exploit that allows more privileges, something that in the past required physical or elevated privileges before (spoiler+rowhammer exploits used together).

So while one exploit could have required physical access to load something up, now, it might not.

So how you accept "classic computer security", has been voided and irrelevant for years.

That is also the mistake of many security "experts" in many companies. They aren't up to date with what you can or cannot do, and think "classic", and then get surprised when data is lost/stolen.
05-05-2019 08:33 AM
dagget3450
Quote: Originally Posted by xJumper View Post
I am a staunch defender of the classic computer security model, so to me "exploits" that rely on things like physical access, purposefully giving elevated privileges and other stuff we would consider a given or no-brainer as things you need to do or not do to have a secure system aren't held in the same light as traditional exploits.

tl;dr version, someone takes your phone, hooks up a jtag kit to it and rips it's flash memory content out; I don't consider that a real exploit. The attacker had physical access, that would have been a huge "duh" in the classical computing security circles. Yet some proponents of the newer type of security model see that as a valid vulnerability.



Is there a version of anything, any OS that doesn't have a successful attack chain? It would appear that my desktop OS on the kernel it runs has no known major flaws yet there probably and likely always is a way for it to get owned if I literally did every single thing wrong and complete every link in the attackers "chain". I'm speaking all in the hypothetical here, but if you have to go wrong ten times in a row is it really a true "exploit"?

On a side note I had never heard of this term "attack chain" until now, I just figured they did stuff like that though, use many small things to accomplish a larger goal.



My question is, how many "chain links"/exploits would you need to use to be successful in using this particular exploit. Depending on that (which the articles does not mention) would sway my position on if this is a "real" vulnerability or not.



Depends on how bad you need to screw up for the attack to be successful. If the amount of "wrong turns" that need to be made exceed what I deem is a reasonable amount of mistakes a semi-knowledgeable person would ever make I wouldn't view it as an exploit to "my" standards, but like I said thats me.



If any one device, file or piece of software "cracks" your life you did it wrong.



I do and constantly rail on it and companies that force it as a means for 2FA, I'm actually really against 2FA in it's current state.

I don't understand what your point is. "Exploit" doesn't need to be defined as it is already in the dictionary:

Quote:
exploit noun
ex·​ploit | \ ˈek-ˌsplȯit How to pronounce exploit (audio) , ik-ˈsplȯit How to pronounce exploit (audio) \
Definition of exploit

(Entry 1 of 2)
: deed, act especially : a notable or heroic act

exploit verb
ex·​ploit | \ ik-ˈsplȯit How to pronounce exploit (audio) , ˈek-ˌsplȯit How to pronounce exploit (audio) \
exploited; exploiting; exploits

Definition of exploit (Entry 2 of 2)

transitive verb
1 : to make productive use of : utilize exploiting your talents exploit your opponent's weakness
2 : to make use of meanly or unfairly for one's own advantage "

You say "The amount of wrong turns, or the idea of software cracks your life "your doing it wrong", is rather disingenuous to the whole concept of exploits. Considering how much people's lives are on their phones (personal devices) these days, you can easily steal "all" data to their identity. Also, combined with always connected devices and "cloud computing" as simple examples. "Traditional exploits" is like your talking about decades ago when paper pad and pens were a thing.
This thread has more than 10 replies. Click here to review the whole thread.

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off