HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
NSA Prefers Hacking Routers and Switches
- Thread starter HardOCP News
- Start date
Routers are powerful enough now that you can take one over and no one will feel the performance hit. Its the same stuff we all thought all along when we were putting DD-WRT on our routers to expand functionality. If we can do it, so can the NSA.
Yes, and this still works because people are idiots and companies still don't care.
Those of us that actually care about security are STILL complaining that HTTPS and S/MIME aren't default features that take work to disable. The two most common internet tasks, web and email, SHOULD be secure by default. Period. (Side note, [H] should really at least allow HTTPS...)
Hell even if we don't have user to user email encryption gaining any traction there should at LEAST be required TLS for any decent public SMTP server to protect all inbound messages in transport, but on my unscientific observations NONE of the big ones require it and hell most are just in the last couple years getting around to supporting it. At least GMail universally seems to be supporting TLS now http://www.brentrjones.com/2010/12/03/gmail-and-google-apps-tls-broken/... but what's the point if some MITM router can just modify the response in transit so that it downgrades to cleartext and no server cert chain is verified and nothing is encrypted (at least until DANE's TLSA DNS stuff is properly supported, which might be never at this rate) http://www.postfix.org/TLS_README.html#client_tls_may ...
Oh and DNSSEC NEEDS to be deployed everywhere years ago and technologies like OpenDNS's DNSCrypt need to gain some serious traction as well...
Can't we just roll out IPSec across the web while we're at it too? Gaining access to a router SHOULD by design be boring as all hell watching traffic, but that doesn't seem to be the case
. Even if developers don't consider the NSA evil (I don't know why they don't, but clearly they don't by their actions) for sitting on routers (which we've ALL known for years), they should at least consider OTHER hackers (say China, blackhats, etc) evil and thus work to defend against it...
The worst part about all this crap is that NONE of it is new. We have the technology, just no one wants to put there foot down and force something and it's saddening.
Those of us that actually care about security are STILL complaining that HTTPS and S/MIME aren't default features that take work to disable. The two most common internet tasks, web and email, SHOULD be secure by default. Period. (Side note, [H] should really at least allow HTTPS...)
Hell even if we don't have user to user email encryption gaining any traction there should at LEAST be required TLS for any decent public SMTP server to protect all inbound messages in transport, but on my unscientific observations NONE of the big ones require it and hell most are just in the last couple years getting around to supporting it. At least GMail universally seems to be supporting TLS now http://www.brentrjones.com/2010/12/03/gmail-and-google-apps-tls-broken/... but what's the point if some MITM router can just modify the response in transit so that it downgrades to cleartext and no server cert chain is verified and nothing is encrypted (at least until DANE's TLSA DNS stuff is properly supported, which might be never at this rate) http://www.postfix.org/TLS_README.html#client_tls_may ...
Oh and DNSSEC NEEDS to be deployed everywhere years ago and technologies like OpenDNS's DNSCrypt need to gain some serious traction as well...
Can't we just roll out IPSec across the web while we're at it too? Gaining access to a router SHOULD by design be boring as all hell watching traffic, but that doesn't seem to be the case
. Even if developers don't consider the NSA evil (I don't know why they don't, but clearly they don't by their actions) for sitting on routers (which we've ALL known for years), they should at least consider OTHER hackers (say China, blackhats, etc) evil and thus work to defend against it... The worst part about all this crap is that NONE of it is new. We have the technology, just no one wants to put there foot down and force something and it's saddening.
Umm, not those kind of routers and switches man. Think more like ISP level.
I bet if a company tried to close an exploit that tht NSA was attached to, they'd get in trouble.
Mungojerrie
[H]ard|Gawd
- Joined
- Jun 19, 2011
- Messages
- 1,940
And they'd probably get gag ordered so they couldn't tell anyone about said trouble.
Yes, and this still works because people are idiots and companies still don't care.
Those of us that actually care about security are STILL complaining that HTTPS and S/MIME aren't default features that take work to disable. The two most common internet tasks, web and email, SHOULD be secure by default. Period. (Side note, [H] should really at least allow HTTPS...)
Hell even if we don't have user to user email encryption gaining any traction there should at LEAST be required TLS for any decent public SMTP server to protect all inbound messages in transport, but on my unscientific observations NONE of the big ones require it and hell most are just in the last couple years getting around to supporting it. At least GMail universally seems to be supporting TLS now http://www.brentrjones.com/2010/12/03/gmail-and-google-apps-tls-broken/... but what's the point if some MITM router can just modify the response in transit so that it downgrades to cleartext and no server cert chain is verified and nothing is encrypted (at least until DANE's TLSA DNS stuff is properly supported, which might be never at this rate) http://www.postfix.org/TLS_README.html#client_tls_may ...
Oh and DNSSEC NEEDS to be deployed everywhere years ago and technologies like OpenDNS's DNSCrypt need to gain some serious traction as well...
Can't we just roll out IPSec across the web while we're at it too? Gaining access to a router SHOULD by design be boring as all hell watching traffic, but that doesn't seem to be the case
The worst part about all this crap is that NONE of it is new. We have the technology, just no one wants to put there foot down and force something and it's saddening.
Totally with you on this one. If developers take action there is no reason we cannot secure our infrastructure a little bit from. It make really sick to listen to other peoples private conversation and data. Really Sick.
CaptNumbNutz
Fully [H]
- Joined
- Apr 11, 2007
- Messages
- 24,986
Great. I'm assuming we can add Cisco and a few others to the list of companies cooperating with the NSA.
Actually there is a glimmer of hope so to speak but it's less of a "put there foot down" and more of a "I'll give you that if you agree to do this".
Just last week or so, there was an article about the Gov. suggesting they "insure" companies against civil legal action for damages if they get hacked/etc if those companies conform to Federal IA Compliance Standards.
I am not completely in favor because I think it will have an inverse effect on getting companies to correct vulnerabilities in their software. In other words, by the Government rules on IA Compliance, if a scan picks up on a vulnerability but the vendor responsible hasn't fixed it yet, then the vulnerability is noted but the system is deemed compliant. So there is still a big hole and there is no pressure on the vendor to fix it because everyone is currently protected from legal reprisal.
Where is the stick that goes with the carrot?
You better believe it. I'm sure also Juniper, Brocade, AlcaTel, etc.
Im thinking this will only accelerate the transition to open networking hardware (think Open Compute Project, BigSwitch, etc), white-box hardware with open source operating systems. This is the only way to truly keep them out of the networks, and frankly I am surprised that foreign entities have not jumped on this stuff hard care for this very reason.
They would just buy off the isp further up the chain...or hack it
Someone, somewhere will always be running that insecure hop. Once the packet goes out who can guarantee where it goes or how it comes back. End-to-end encryption is the only way.