Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As a part of a defense-in-depth strategy, sure. Where we get in trouble is when it's the only layer.


To this I respond with the only valuable treat matrix for an individual I've ever seen.

Threat: Ex-girlfriend/boyfriend breaking into your email account and publicly releasing your correspondence with the My Little Pony fan club

Solution: Strong Passwords

Threat: Organized criminals breaking into your email account and sending spam using your identity

Solution: Strong passwords + common sense (don’t click on unsolicited herbal Viagra ads that result in keyloggers and sorrow)

Threat: The Mossad doing Mossad things with your email account

Solution: ◆ Magical amulets?

◆ Fake your own death, move into a submarine?

◆ YOU’RE STILL GONNA BE MOSSAD’ED UPON

All credit to James Mickens for the above.

My point being that if someone is that committed to compromising your air gapped system they're going to find a way. Especially if they can just slip the janitor $10,000 to put a USB labelled "Barely Legal Gone Wild" into the machine while vaccumming.


> Especially if they can just slip the janitor $10,000 to put a USB labelled "Barely Legal Gone Wild" into the machine while vaccumming.

Part of Defensive Depth includes vetting and requiring the janitor who cleans the SCIF to themselves also hold a security clearance.

Your cited example is also why Counterintelligence is a thing. It's not enough to trust your processes; you also have to probe them.

When I was in the military I met a guy whose job was to pentest (among other things) nuclear weapons facilities and NORAD defense installations, specifically their computer equipment. He had some pretty wild stories; suffice it to say the ladder trick doesn't work when you are trying to access an ICBM solo.


> Part of Defensive Depth includes vetting and requiring the janitor who cleans the SCIF to themselves also hold a security clearance.

Sure, but no amount of vetting is going to be perfect. Maybe the vetting missed something, maybe some circumstance changed between now and the most recent re-up, maybe instead of $10k it's $10M, etc.

A better solution is to physically disable the USB ports.


>A better solution is to physically disable the USB ports.

It's not an either/or situation.


Everyone will break. Even the janitor who passed clearance. Threaten his wife, see how long he cares about his clearance. When the government was trying to break me I was all macho, "I ain't saying shit", until the second they threatened to hurt my wife, then I was a little bitch who would have woofed and begged for treats had they asked.


There are security testers in DC with a good track record of getting into government buildings. "Who are you and what are you doing here?" "I've brought chocolate cake." "Oooo!!"


Mossad generally can't be prevented from killing you, but it's much easier to keep encryption keys safe than to keep yourself alive.

I don't think Mossad would find it all that easy to compromise an ordinary bank vault.


My old boss was very disturbed when we explained to him that our small business with one IT guy can't really defend against state-level actors who are intent on getting into our systems.

I'm still not sure why he was worried about that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: