Is it still good practice to reinstall everything after you are owned?

Steve Kinney admin at pilobilus.net
Wed Nov 1 13:58:03 PDT 2017 

On 11/01/2017 02:56 PM, How Rude ! wrote:

> Also:
> blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
> 
> JS;DR:
> All computers are fucked.

Now that's music to every clueless luser's ears:  "Don't waste a moment
of time or give up an inch of convenience for security, because there is
no such thing as security."  Not only does this justify the lusers'
categorical refusal to spend a moment of time or give up an inch of
convenience, it also assures them that they are /smarter/ than people
who do give a damn about network security.

Whether any given computer is fucked on a given day depends on many
factors.  Network security begins with a threat model:  Who might want
to steal or destroy your data, what resources do they have, and if an
adversary is successful what do you stand to lose?  Next look at the
methods for locking those particular adversaries out, and the cost in $$
and time for doing so:  Compare the price of a solid defense to the
value of what you are defending:  When it costs more to defend an asset
than it is worth, you lose.  When it costs less to defend an asset than
it is worth, you win.

It is almost always orders of magnitude easier and cheaper to defend a
computer than to attack one - IF one starts with tools that CAN be
secured, which rules out Microsoft operating systems and software.
Where and as security fail is unavoidable - i.e. your shop needs a
commercial software package that will not run on anything but a
Microsoft OS - the value of the work product will justify the costs
(including minor personal inconvenience) of properly quarantining the
machine(s) it lives on.  If not, you don't really need that work product
and the problem solves itself the cheap way:  "We stopped using that."

As a bonus, defending digital assets from one's "most serious"
adversaries will automatically defend those assets from lesser beings.
Perfect or absolute security does not exist because it can not exist:
But almost anyone can afford a good enough security model to reduce the
odds of serious security incidents per decade from near certainty to a
low single digit percentage.

Network security axiom:  User refusal is the principal barrier to secure
networking.

:o/





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20171101/28add5ef/attachment-0002.sig>

More information about the cypherpunks mailing list