Convinced is a strong word, but phones are typically running code that is not user controlled in an environment where they are always expected to be connected to the internet.
Given the amount of spying that has been revealed (a lot of it seeming to be superficially illegal) it seems reasonable to assume that phones are compromised in all manner of ways unless proven otherwise. I'd prefer to be pleasantly surprised.
Anything that makes it more expensive for the government to read someone's communications is a bonus. Ideally panopticon states will remain uneconomic.
* Mobile-phone baseband chipsets are proprietary and secret a.f. and part of that is down to the carrier's insistence.
* Baseband chipsets run software that the carrier ships OTA to the phone.
* While baseband chipsets are ostensibly part of the wireless modem and meant to simply provide a service to the rest of the phone it looks like they generally have some form of access to the phone's main memory bus (just like any other PCIe device in a PC) and so could read the framebuffer (assuming it's backed in RAM at all) - or at least the back-buffers of the screens of running applications.
* Even 6-7 years ago, there existed definite causes for concern in (at least) the 32-bit version of iOS - but I can't find any hard evidence that the baseband chip in Apple Silicon-era phones wouldn't have at least some access. See https://github.com/userlandkernel/baseband-research
Having nothing at all to go by except for the platform's documentation and if we're lucky a pinky promise that they'd never backdoor their chips or devices if the state strong armed them into it seems to require a whole lot of faith. It'd be a lot nicer to have verifiable/auditable hardware and software so that we could be reasonably confident what it was capable of and could see exactly what it was doing instead of having to trust the black box.
You've given up the argument at this point. If you don't trust your phone's manufacturer not to backdoor their own chips, the baseband doesn't matter. If you're concerned about the Qualcomm baseband chips in an iPhone, you're talking about what is probably (depending on your phone) just a USB peripheral.
The baseband parts here are not, as message board C.W. would have it, top secret unknowable wizard hardware. You can get the part numbers and look them up.
There's a lot of weird mythology about these modem parts. The thread you linked to included someone claiming that basebands were DMA'ing into host memory --- you couldn't even do DMA over the HSIC USB the parts were using. Like, it wasn't even physically possible.
(I have no idea what a 5G Snapdragon Xwhatever can do today, but I assure you that Apple's security team does).
Having nothing at all to go by except for the platform's documentation and if we're lucky a pinky promise
We have way, way, way more than that. Both the GP and you are arguing about the security deficiencies of modern phones as you've imagined them, rather than as they are but that gap is trivial to close with relatively little reading.
> you are arguing about the security deficiencies of modern phones as you've imagined them, rather than as they are
I appreciate the strength of your conviction - but I'm not an phone industry insider, and have no access to the kinds of reading-material I assume you're pointing to - for example, Qualcomm put their docs behind a verify-your-employer-wall (which is outrageous): https://www.qualcomm.com/products/technology/modems/snapdrag...
...if Qualcomm's attitude towards openness and transparency is representative of the mobile comms industry in general then they have little hope of correcting any misinformation or misconceptions other technology folk like ourselves might have, let alone the general public.
No, this doesn't require access to internal documentation of anything, just googling a little. Like the sibling comment points out, the whole baseband thing is a bit of a messageboard trope and has been for about decade. This is one of these things you can sort of guess from first principles! I.e. how likely is it that this well-known problem (the potential security implications of DMA/memory mapped peripherals) has remained completely unmitigated and unaddressed by smartphone designers for 10+ years?
I can highlight text on the application switching screen (swipe up on android, press and hold over text on any of the applications in that view, you can highlight text that's otherwise not highlightable)
Someone should write a Wikipedia article on a glibly labeled law to the effect of, "any opportunity for forensic information to be exploited, will be done so."
OS level and apps can record the screen. With root access the State or someone who knows the triggers could issue a capture and store to a remote site without user knowledge.
A GPS transponder with microphone and camera under the control of billionaires seems like a mistake
Is cryptocurrency busted? Sure, it didn't replace the global monetary system, but it seems to be a proven technology now. And sure, it had its crashes, but BTC is up 112% over 1Y, and lots of cryptos have legitimate payment purposes.
Proven to do what exactly? A solution for which problems?
Cryptocurrency had billions invested into it and the most valuable product that came out of it was cartoon apes. There's not a single blockchain that replaced the existing financial system, an area it was supposed to disrupt. There's not a single blockchain in use anywhere in logistics and supply chain, an area the blockchain was allegedly going to revolutionize. There's not a single blockchain being used for identity management by serious enterprises.
Most new technologies are overhyped, but blockchain/cryptocurrency is the only one where you can look back and be astonished at how virtually nothing was created. Its most important lasting contribution to society is providing incontrovertible evidence that just because "thought leaders" and deep-pocketed investors say something is going to change the world, it doesn't make them right.
Whether or not you agree with the greater philosophical goal of Bitcoin, Bitcoin proved the ability to create a system of value using basically just cryptography and with a built-in reward system to incentivize the decentralization of the network -- and it grew enough that it can now operate as a standalone method of payment. It's an amazing feat.
I don't disagree with you. But the original post was about 1) cryptocurrency as a whole being busted and 2) that cryptocurrency had never provided any kind of value. Those are what I disagree with.
Yeah it just requires massive investment in computer components, ridiculous amounts of carbon burning, servers in the Arctic to lower cooling costs, and a few towns full of people subject to more sound than jet engines at all hours of the day. Innovation!
> Bitcoin proved the ability to create a system of value using basically just cryptography and with a built-in reward system to incentivize the decentralization of the network
No, because micro transactions in games is a centralized system involving zero cryptography, usually powered by a centralized database by the game developer. Bitcoin is decentralized.
Barely, if at all. Technically it can be decentralized, but Bitcoin's design promotes centralization, and the result is that currently Bitcoin can be controlled by either two entities (AntPool and Foundry USA) or three (one of the former ones plus F2Pool and ViaBTC) - and it's not going to get better.
Good luck sending 10 BTC worth of USD from a US bank to China or Russia, or ANY bank without raising eyebrows and getting your bank account locked/frozen
Well, I hold crypto, but admittedly it's kind of failed as far as payments are concerned.
I used to use BTC quite regularly for payments back in like 2014-2015. But now, it's too expensive to move around due to fees so I just hold it. The same can be said even of ETH - the fees are too high to interact with a lot of the DeFi stuff.
There are 'layer 2' solutions that tackle the fees issue but uptake of these has been slow.
It's why they pivoted to calling BTC a store of value years ago. The payments side of crypto is kind of disappointing.
Maybe a better example would be the more general "blockchain". There was all sorts of talk just a few years ago about how it was the most revolutionary technology since the Web and every business was going to be affected by it.
What's the risk-adjusted return and correlation with other securities? Those are both more important than share price.
Since it doesn't pay dividends in USD, its USD value is only achieved if you go around convincing everyone else to stop selling it so that you can sell it. Which I think conflicts with it being used for payments.
As a consumer there is practically speaking zero legitimate payment purposes available to me. Sure there are a couple of niche services taht offer BTC payments alongside credit cards...but my grocery store does not accept BTC.
I get what you're trying to do, but the first impression I get when opening the site is "this site is asking for credentials to connect to my database for me". It doesn't have the look of a "quick utility" website to generate a command. I like crontab.guru as an example of a "quick utility" site that I go to frequently with an intuitive UX. I think if your site had the "generated command" front-and-center, maybe even pre-generated with a command already, the site's goal might feel more obvious upfront.
For those unaware: CTRL+R in terminal will also change your prompt to search your command history. After typing, CTRL+R again to cycle through matches.
Why send every url you visit (or its hash, whatever) to google in return for little to no tangible benefit? I've never used safebrowsing at any point since its introduction and have yet to encounter a single instance where I would have benefitted had I been using it.
"It would be too slow (and privacy-invasive) to contact a trusted server every time the browser wants to establish a connection with a web server. Instead, Firefox downloads a list of bad URLs every 30 minutes from the server (browser.safebrowsing.provider.google.updateURL) and does a lookup against its local database before displaying a page to the user."
Funny how this article points that Okta was notified by a third-party of suspicious tenant activity, Okta did not find evidence of the breach, and only after some persistence from BeyondTrust did Okta re-investigate and identify the breach.
It's beyond my comprehension why anyone is using Okta anymore. Authentication is the most critical piece of any IT. Okta has proven again and again to be untrusted party lacking integrity. It's just a time bomb about to go off.
also vendor lock in once youre invested is very real with execs. change is hard in general its even harder when its a significantly embedded service thay takes time and money to replace plus your director likes going to sports with their sales guys.
also i sincerely believe theres a little bit of not minding they suck because they can just blame okta if something happens and blame is the worry.
It's a consequence of corporate culture that punishes failure. Part of changing is admitting the previous approach isn't working, and why it isn't working.
They could always punish the internal person who chose Okta. But I guess they're now big enough to be into "no one was ever fired for choosing [Okta]" territory?
> It's beyond my comprehension why anyone is using Okta anymore.
Because, if you are already using Okta, it costs budget to change that. Who is signing up to to do that? Didn't Family Circus used to have a ghost character labelled "Not Me"?
And, an bunch of people who didn't like Okta went with Auth0 and then wound up with Okta, anyway.
Counter question, how has Okta proven that they have integrity and are competent and can be trusted to run critical IT?
What quantitive evidence have they ever demonstrated that shows they can stop the attackers who would like access to the billions of dollars of assets whose access they authenticate? A criminal enterprise can literally hire tens to hundreds of skilled hackers full time for years to target these systems and still turn a profit.
The default assumption is that systems are easily hacked. Claiming protection against even small teams of moderately skilled attackers, let alone organized crime, is a extraordinary claim. Where is their extraordinary evidence?
So I can just give you a cardboard box and call it a vault? You can not prove me wrong upfront so you have to believe me? That is ridiculous.
There is plenty of evidence you can provide to establish confidence that a certain degree of security has been achieved. Robust auditing, thorough review, formal methods, exhaustive testing, competent red teams exercises failing to find any vulnerabilities, etc. The only people throwing their hands up claiming security can not be evaluated have nothing useful to say about security because they do not even believe it is possible to know if they did anything.
Counter argument. Okta does all those things. Provides all the evidence, the red teams, etc. and still you don’t trust them (because they continue to have breaches) so to argue that one can prove security is false. One can only practice security and find assurance in certainty that they can identify events after or when they occur. No one can predict the future and no one can guarantee security in perpetuity. So I agree with you that Okta sucks. I also agree with the argument that you have to keep the knife sharp but you can’t just state the knife is sharp. You have to draw some blood to prove it. Likewise security postures are tested when incidents occur, through testing oneself or from another testing you. Complacency in this is when holes form. Security can only be evaluated at the moment in time. You can audit the past, but you can’t audit the future.
Counter argument, prove that Okta does any of those things to any meaningful degree. They are responsible for guarding the authentication to literally billions of dollars of assets. They are a prime target for organized crime who can field teams of tens to hundreds of hackers and state actors who can field teams of thousands for years. The recent Ceasar's attack had a 15 M$ payout, which means it would have been profitable to spend 5-10 M$ of hacking resources to pull off that attack. Okta is a much juicier target. They need to have security adequate to defeat a attack with 10 M$ of funding at a bare minimum.
So yeah, show me a red team exercise with 10 M$ of funding, they get a 30 person hacking team and 1 year fulltime, that failed to find any vulnerabilities and failed to gain access to any sensitive data, then we can talk about if they provided evidence of adequate security. I bet all they have is what everybody else has which is red team exercises that had 3 people for a month that reported 27 serious vulnerabilities, then another red team exercise that found a different 23 vulnerabilities, then another, then another, then another, always finding new ones because their systems are actually at the 100 K$ quality level. Those exercises do provide evidence and confidence in their security, you can be extremely confident their systems are grossly inadequate for their threat landscape. I have not looked, but the same can almost certainly be said about their certifications, audits, etc. since the gold standard that everyone aspires to is, when looked at objectively, grossly inadequate.
No and no, but I was just providing a counter argument so we can get past our bias and get to the heart of the issue. Can we trust Okta going forward? Do they understand the scope? The risks? Or are they full of Id and Ego that they think they are untouchable?
Having red teams, having audits, having scans, etc is simply not enough for some folks but in Okta’s eyes, it’s enough for C-suite talks of taking Authentication/authorization off the plate of their IT department.
I firmly believe for every individual who thinks they are untouchable, there’s a hacker who knows more and is willing to throw it all away to prove a point.
Great, so your argument is based on misinterpreting my single usage of the word “prove” to mean the mathematical definition rather than the colloquial definition meaning substantiated as is obvious to even the most casual observer based on how my statements talk about evidence, not logical inference rules.
I mean, do you seriously think that if person A says: “My vault is secure for 15 minutes against a human with a crowbar.” And person B says “Prove it.” That person A would ever respond with: “I can not because a vault is not a mathematical object and therefore proof is impossible, but I can substantiate it.” That would be ridiculous beyond belief. That is what you are doing.
Not that I am aware of, which bolsters my point. If airsoft pellets keep ripping through everybody's "bulletproof" vests and they all keep telling you to have faith in their new vest, and no, they will not provide you any evidence that it works, then any sane person would be running for the hills. You should be completely skeptical that an entire industry that can not even stop airsoft pellets can suddenly able to stop bullets, 354th times the charm for sure, until they show you some extraordinary evidence. Fool me once, shame on you. Fool me 354 times in a row for three decades, shame on me.
It’s actually comical that Cloudflare is trying to blame Okta for this. A Cloudflare employee uploaded secrets to Okta’s support tool. That is what caused the breach.
'Malicious Okta employee' who already has privileged access in the systems the customer has chosen to outsource their auth to?
If Okta employee is a high priority threat model... then the customer is better off not using Okta.
Not that it shouldn't be considered, but if Okta top-to-bottom penetration is expected and accepted, then that's taking Zero Trust to a whole new length.
It's literally a policy from Okta to investigate issues, which isn't Cloudflare's fault. The tool from Okta got compromised and all clients that needed support from Okta could/have been damaged as well.
Additionally, it was Cloudflare that SAW something was off and notified Okta. Cloudflare didn't get breached at all.
> The root cause is that Okta got compromised.
It's even suprising that Cloudflare's policies are so good in detection that they detected this at all, before Okta.
Purely anecdotal but their systems are designed very poorly, they outsource their support to some really low quality vendor (read: you get 0 support). This is not a company I would trust if I had the choice.
I was at an org who started using Okta a few years ago (left a few months later, unrelated). Among the issues, it wasn't confidence inspiring that the policies that org set (like requiring the Okta app for 2FA rather than TOTP, or enforcing certain properties about the passwords you're allowed to use) were only enforced in the browser and could easily be circumvented by just sending an appropriate request. Maybe they're fine otherwise, but my rule of thumb is that every security-critical single-point-of-failure like Okta will have major problems, and they certainly haven't presented enough evidence to sway that opinion.
I know this is old, so I'm not sure if you'll see it, but I'm genuinely curious what alternatives you suggest.
My experience has been: start with Google until it's too painful to continue, choose between Azure AD or Okta. Self-hosting for plenty of firms is just asking for worse scenarios. Is there some market leader I'm unaware of?
My company uses Okta. Several of the lower level security employees expressed concerns and management told them to go fuck themselves. IT simply does not care. So that’s probably why - ignorance and apathy.
That title from Okta has to be the lamest in all history of security breach announcements!! "Tracking Unauthorized Access to Okta's Support System"
Horrible title, not transparent or direct, pretty lame. and I agree, it's dreadful that Okta did not even mention that BeyondTrust told them about it on Oct 2 (30 minutes after BT uploaded their HAR file to Okta Support).
Atlassian mentions in their original advisory[0] that Cloud is not vulnerable. But Atlassian usually just... leaves it at that. No clarification on if Cloud was ever vulnerable in the past or whether there was any evidence of exploitation attempts on Cloud customers. Something I wish they would provide more details on as my company is also an Atlassian customer.
In all of these advisories there has never once been a mention of cloud being vulnerable. I think it's safe to assume cloud runs a similar, if not identical, codebase, and that these issues are simply patched there first before vulnerability announcements are published. But that's the type of thing no company is ever going to be willing to say in public.
Someone in here claimed recently that the Cloud products were forked many years ago, which sounds believable - there's tons of little stuff that only works on either Cloud or on-prem.
> Google Workspace makes it very easy to set up "Advanced Protection" on accounts, in which case it requires using a hardware key as a second factor, instead of a phishable security code.
This isn't immediately actionable for every company. I agree Retool should have hardware keys given their business, but at my company with 170 users we just haven't gotten around to figuring out the distribution and adoption of hardware keys internationally. We're also a Google Workspace customer. I think it's stupid for a company like Google, the company designing these widely used security apps for millions of users, to allow for cloud syncing without allowing administrators the ability to simply turn off the feature on a managed account. Google Workspace actually lacks a lot of granular security features, something I wish they did better.
What is a company like mine meant to do here to counter this problem?
edit: changed "viable" for "immediately actionable". It's easy for Google to change their apps. Not for every company to change their practices.
> What is a company like mine meant to do here to counter this problem?
What is hard about mailing everyone a hardware key? I honestly don't see the problem. It's not like you need to track it or anything, people can even use their own hardware keys.
1. Mail everyone a hardware key, or tell them if they already have one of their own they can just use that.
> Google Workspace actually lacks a lot of granular security features, something I wish they did better.
Totally agree with that one. Last time I checked you couldn't enforce that all employees use Advanced Protection in a Google Workspace account. However, you can still get this info (enabled or disabled) as a column in the Workspace Admin console so you can report on people who don't have it enabled. I'm guessing there is also probably a way to alert if it is disabled.
I can't tell you how happy I am that I don't have to fight with Google Workspace administration anymore. When I was doing it, getting TOTP enforcement enabled was very problematic. You couldn't just set the org to be enforced, because new users wouldn't be able to login, and then you'd have to turn it off for the org any day new people started, then make sure that everybody was enrolled (including existing employees that turned it off while they could), etc.
They finally fixed it, but it took them a long time, and in the meantime, horrible workarounds.
They also had no way of merging two company's accounts; which is fine because m&a never happens, and google never aquires anyone using google workspace (i certainly would refuse to be aquired by them after using their software, but I'm extra grumpy)
