Hans-Christoph Steiner @eighthave@librem.one

The key thing to remember is that luck plays a role in not being discovered, in a way that it does not with proper security measures. In my example, the hunters could have gotten lucky if they just happened to think to open the right door nearby and look at the servers there.

Given that physical access to computers is a lot harder to defend against than internet access, my one hour of time vs the time they spent was quite a good payoff.

I learned this lesson by operating a hidden server on a university network in a room next to a lab funded by #US three letter agencies, it was actually a feeder program, the grad students mostly went to work for those agencies. They had seen that my non-university domain name was mapped to a university IP address. They emailed me while I was on vacation, saying they were hunting for it. Two weeks later, I got back, and they still hadn't found it. They never did. That setup took me an hour.

I totally agree that #Security Through Obscurity does not work, I think the key word that often gets lost is "through". Make systems as secure as you can, don't rely on them being hidden. Obscurity can actually add quite a bit. Compare a build server reachable on a public domain name to one only reachable on a tor onion service. Finding the tor onion service could take the determined attacker quite a lot of time. The key measure is time to attack vs time spent setting up defenses. 1/

Reading the section in the #PaloAlto book about #decolonialization makes me think how so much digital media is a form of #colonialism of our personal relationships, education, and even thought processes. It is driven by companies with the mentality of extracting profit from mining resources, in this case, the resources our human relationships and education.

I wonder if #ChatGPT and its kindred #AI #LLM projects will just kind of slowly consume themselves via a downward spiral of driving down the level of public, online content via computer generated spam and #disinfo. They are trained on these public datasets, for example. For example, https://www.vice.com/en/article/jg5qy8/reddit-moderators-brace-for-a-chatgpt-spam-apocalypse

So many #software projects get caught in this trap of adding ever more #complexity as users request more features. When starting out, new software needs to directly solve a problem better than others, then people adopt it. As more people adopt it, they demand more features. Incrementally adding more features works for the existing user base, but makes it harder and harder for newcomers to jump in. Then new software does a key thing better, and the complex old one collapses under its own weight.

#ArsTechnica's article on exploiting #Zimbra is a nice example to work through to understand how an advanced #cyber #targeted #attack works
https://arstechnica.com/information-technology/2023/03/pro-russian-hackers-target-elected-us-officials-supporting-ukraine/2/

Does anyone have any examples of advanced #cybersecurity #attacks that were not targeted? I guess the #GreatCannon and maybe #QUANTUMINSERT #FOXACID are examples. I'd love to see a story about a recent exploit like this (those two examples don't really work when HTTPS is used).