Yes you did, you said: "all governments using COTS OS for military/intelligence work" and then argued: "If your statement was even remotely true then why is this not used in conflicts to devastating effect?". You are clearly arguing that the operating systems they use, which you clearly admit are standard COTS operating systems, must be unhackable by other governments otherwise we would be seeing devastating effects (or at least require more than pocket change to a potential US adversary to attack, i.e. at least more than a single tank (~10 M$), at least more than a single fighter jet (~100 M$), probably at least more than a aircraft carrier (~1 G$) before not being pocket change).
No, he didn't. Learn to discuss properly. OP stated that any government could get RCE for any OS. And that is highly unlikely, since budget above market rates does not imply that you can easily get RCEs. The market rates are high because there is scarcity of such vulnerabilites.
Governments using COTS operating systems does not imply that these systems are unackable. If the statement of OP would be true, we would just see constant exploitation of RCE zero days, or at the least the impact of that. But that is not the case.
We do see constant exploitation of government and critical infrastructure systems. The US telecom network is literally actively compromised right now and has been for multiple years [1]. Like wishful thinking, ignorance is also not a valid argument.
It is frankly baffling that I even need to argue that COTS operating systems are easily hacked by governments and commercial hackers. It literally happens every day and not a single one of those companies or organizations even attempts to claim that they can protect against such threats. Government actors are literally what these companies peddling substandard security use to argue "nothing we could do". It has been literal decades of people trying to make systems secure against government actors and failing time and time again with no evidence of success.
I mean, seriously, go to Defcon and say that nobody there with a team of 5 people with 3 years (~10 M$, a single tank) could breach your commercially useful and functional Linux or Windows deployment and you are putting up a 10 M$ bounty to prove it. I guarantee they will laugh at you and then you will get your shit kicked in.
I am aware. I was making a concrete example pointing at a well known conference where average industry professionals would find the very concept of these systems being secure to be laughable.
Somehow we have ended up in this bizarro land where everybody in software knows software, especially COTS operating systems, is horribly insecure due to the endless embarrassing failures yet somehow they also doublethink these systems must be secure.
I was agreeing with you! It's a drinking game because the infosec field is laughable. Who needs a zero day RCE when the president is using an EOL Samsung?
