On 2/3/15, dan@geer.org <dan@geer.org> wrote:
... John, you know this I'm sure, but for the record the highest security places use sacrificial machines to receive e-mail and the like, to print said transmissions to paper, and then those (sacrificial) machines are sacrificed, which is to say they are reloaded/rebooted. Per message. The printed forms then cross an air gap and those are scanned before transmission to a final destination on networks of a highly controlled sort. I suspect, but do not know, that the sacrificial machines are thoroughly instrumented in the countermeasure sense.
this is defense to depths layered through hard experience lessons ;)
... For the entities of which I speak, the avoidance of silent failure is taken seriously -- which brings us 'round to your (and my) core belief: The sine qua non goal of security engineering is "No Silent Failure."
there was an interesting thread here last year on instrumenting runtimes to appear stock (vulnerable) but which fail in obvious ways when subversion is attempted. (after all, being able to observe an attack is the first step in defending against such a class...) "hack it first yourself, before your attacker does..."