Friday, February 10, 2017

Shouting into the void *ptr;

Getting old people off Office is less a technical problem than a political one.

So a couple other hackers with deep expertise in exploitation and offensive operations and I often go to a USG policy forum which will remain unnamed and we propose strange things. One of those strange things can be best titled: Insecure at any price, the Microsoft story.

What this means is exactly what you're seeing in the latest EO: Get off Microsoft on your desktop. You cannot secure it. Despite Jason Healey's obsession with innovations from Silicon Valley, sometimes you have to say: There are things we cannot build with.

I will list them below:

  • Microsoft Office (Google Docs 100 times better anyways)
  • Microsoft Windows
  • OS X
  • PHP
  • ASP (ASP.NET good, old ASP bad)
  • Ruby on Rails (not sure how they made this so insecure, but they did)
  • Sharepoint. NEVER USE SHAREPOINT. It's a security nightmare because XSS exists.
  • Wordpress.
But it is also true about protocols. SMTP needs to be almost no part of your business. If you regularly use SMTP and email in your business structure, you are failing, and we already have replacements in the messaging space that do everything it does, but better. 

Imagine two hackers sitting with policy lawyers and we say "Use Chromebooks, Use iPads" and that's what you're reading in the latest EO. That's how you solve OPM-hacking type issues. Of course, it is likely to simply be a coincidence. You never know where the info from these policy meetings ends up. It is only slightly more substantive than literally shouting into the void.

No comments:

Post a Comment