Tag Archives: Threatpost

The Scott Pilgrim of Technology

There is a moment when we have to take account of actions; we have to push into the direct limelight the ACTUAL dangers. I did some of it when the DJI issues hit the news. With ‘That’s the way the money flows‘ (at https://lawlordtobe.com/2019/05/21/thats-the-way-the-money-flows/) we see certain actions, but have you considered the actual dangers?

In this case (for a few reasons I move towards the article in the Verge. Here (at https://www.theverge.com/2019/5/22/18634401/huawei-ban-trump-case-infrastructure-fears-google-microsoft-arm-security) we see what transpired half a day ago. With the ARM announcement people are getting worried. Yet they validly ask: “halting its access to current and future chip designs and coming on the heels of similar breaks from Google and Microsoft. Huawei is in deep, deep trouble, and we still don’t have a clear picture of why“.

Yes that is seemingly an issue, if there actually was an issue, in addition we are given “There’s never been a full accounting of why the US government believes Huawei is such a threat, in large part because of national security interests, which means much of the evidence remains secret” and that is where the issue is, it is hidden. There has not been one respectable cyber engineer giving a clear account of where the actual flaws are.

So when we see: “There was never any hard evidence of backdoors in Huawei’s cell towers — but, as hawks saw it, there didn’t need to be. As a hardware provider, Huawei needs to be able to deploy software the same way Apple deploys iOS updates. But as long as there was a pipeline from Huawei’s China headquarters to cell towers in the US, there would be a strong risk of Chinese surveillance agencies using it to sneak malware into the network“. We can accept that to some degree, yet the actual issue stated with: ‘there would be a strong risk of Chinese surveillance agencies using it to sneak malware into the network‘. If it is about risk then that risk is actually zero, you see Cisco solved that problem for Russian, Chinese and North Korean intelligence months ago. The fact that all over the US and now Europe, we see the dropping of Huawei as a consideration is not merely an act of discrimination, it could also be seen as an act of customer being betrayed by their governments.

What is the evidence?

As some experts give us something like: “The vulnerability could allow an authenticated, local attacker to write a modified firmware image to that component. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, according to Cisco’s advisory” and make no mistake, routers from Parks and recreation, to the Pentagon right up to the White House are optionally affected at present, the list (at https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot#vp) shows a list that is impacting vulnerabilities to MILLIONS of devices and the media remains largely silent on it.

And when we also consider: “Other routing and switching gear patches won’t roll out until July and August, with some products slated for even later fixes, in October and November.” we should all realise that Chinese equipment does not make US hardware vulnerable, Cisco (an American company no less) did it for them. The Washington Post is not really covering it, are they? Perhaps because we see (at https://www.washingtonpost.com/brand-studio/wp/tag/cisco-webex) loads of space reserved for partner content, giving us the credo that I have mentioned a few times before. The media has become a whore (or perhaps better stated a person relying on questionable ethics). They cater to their shareholders, their stake holders and their advertisers; there is the real danger and the real vulnerability.

Keeping the people knowingly in the dark from actual dangerous situations, but that is not really what big business wants is it. The dangers that Huawei grew to twice its size was just too dangerous for those on the Wall Street gravy train, and whilst we see these dangers for almost a month, the value of Cisco goes up? Whilst millions of devices are vulnerable with many of them in that state to deep into November, optionally remaining a danger until well into January 2020, for the simple reason that delays are almost inevitable in these situations?

When we realise that we can Google on reported true and false weaknesses that hit Huawei and Cisco, it is shameful to see the following list:

News source

Huawei ‘danger’ given

Cisco vulnerability mentioned

Sydney Morning Herald

Yay

Nay

the Age

Yay

Nay

the Guardian

Yay

Nay

BBC

Yay

Nay

The Times

Yay

Nay

Australian Financial Review

Yay

Nay

Financial Times

Yay

Nay

Washington Post

Yay

Nay

LA Times

Yay

Nay

NOS (Dutch)

Yay

Nay

Dagens Nyheter (Swedish)

Yay

Nay

 

However, in case of the Sydney Morning Herald we do get to see sponsored content for Cisco and the Washington Post gave the readers Cisco Partner content.

As far as I have been able to tell, none of them gave any light to the vulnerabilities in Cisco Routers and Firewalls. Would you agree that a flaw impacting millions of devices is news? Many of them pulled a similar stunt in 2012 regarding Sony in the month before the release of the PS4. In regards to the list, these are supposed to be the more respectable choices for news; the list of absent news giving sources is a lot larger.

Whilst the IT news magazines gave the broader setting (as well as Cisco on their own site), we see that the media is seemingly playing a game of: ‘Let’s rent a hotel room on an hourly rate‘.

When we see Tara Seals in Threatpost giving us: “A critical vulnerability in Cisco’s software-defined networking (SDN) software could allow an unauthenticated, remote attacker to connect to a vulnerable data-center switch and take it over, with the privileges of the root user” (at https://threatpost.com/cisco-critical-nexus-9000-flaw/144290/), I suddenly realise that there is an inner demon with a pitchfork stabbing into my brain telling me that I am a pussy, I disagree! So here it is: “A message for the Pentagon IT department; Do you still have the password ‘Cisco123‘ on some of your routers? If so would it not be a great idea to change it before the Chinese Ministry of State Security and the Foreign Intelligence Service of the Russian Federation (SVR RF) decides to download your servers at their earliest convenience?

I know it is an annoyance, but with Cisco flaws the way they were it is merely a small consideration, and let’s not forget that at this stage no Huawei device was required to acquire the information on your servers. I personally believe that it is time to reward those who do not apply common cyber sense to be rewarded with limelight. I have had to clean up the mess of others for well over a decade and now it is time to give those people the exposure they deserve (my findings regarding Credit Agricole will have to wait for a few more days). When you consider that the flaw also hits the Nexus 9000 Data Centre Switch, a device that is according to their own site ‘Built for scale, industry-leading automation, programmability, and real-time visibility‘, as well as “operate in Cisco NX-OS Software or Cisco ACI modes with ground-breaking Cloud Scale ASIC technology“, and lets be fair, there will always be an issue, a device on such scale cannot be flawless, yet when such a flaw is clearly reported on a level this big and the media merely looks at accusations against Huawei and leaves actual dangers unreported, the integrity of the media has become too large an issue on a global scale.

The issue is twofold for me, the first is that Huawei was never a risk and even as I disagree with the dumb headed approach that the US had, I am very much on the side of Alex Younger (the apparent fearless leader of MI-6), he is merely stating that non-British equipment (in this case Chinese) could be an optional threat in the future. His issue is that this level of infrastructure must be British and he is not wrong, no nation is wrong to have high level infrastructure equipment (whether it is 4G or 5G) in national hands. That is the application of common sense (yet realistically speaking not always pragmatic or achievable). so when he stated last February ‘It’s more complicated than in or out,‘ he is actually spot on, no one denies that. Yet the Americans had their big boots, brainless and started accusations that cannot be proven, that is an issue! For the US it was all about the money and American technology is losing more and more headway, they are literally falling further behind on a daily basis. As I personally see it the direct consequence on iteration versus innovation technology. When the best innovative step is Samsung giving the consumer the ability to share power wireless (which is awesome), even me as an anti-Samsung person will admit that they hit the jackpot with that one. How sad have players like Apple, Microsoft, IBM, INTEL et al really become?

How much of a Scott Pilgrim must we become fighting all the tech companies in the world before we get told the direct truth by the media? How much shaming must we do to make the media make us the number one directive, not the number four option? and as I have been considering more and more to put my IP vision valued at $2 billion public domain and let them fight it out among themselves, basically I am just too tired to engage in another round of bullshit with these so called executives and VP’s who (with the exception of Huawei and Google) do not have a clue on what they are doing in technology in the first place.

The larger problem is not Cisco; it is security and identity management. Most corporations are close to 5 years late into implementing an actual non-repudiation system and that is partially because there is no real good system or good way to ensure non-repudiation, an issue that should have been addressed almost 10 years ago, but never was, I personally tend to blame complacency there. I personally believe that a drive to iteration prevented innovation to get us there, but that is merely my view on the matter and I am perfectly happy to be proven wrong on this specific part.

Dozens of options (I actually had another idea towards a new solution to applied solar technology) all having larger impacts in larger cities and pilot places like Neom City, what does it take for some of these players to wake up and smell the dangers of corporate death through marketing set towards iterative release?

 

1 Comment

Filed under Finance, IT, Media, Military, Politics, Science