back to article Everything is insecure and will be forever says Cisco CTO

While in Melbourne enduring the antipodean version of Cisco Live!, The Register's networking desk met veep and CTO Bret Hartman. Here's what he told us about network security, a field he feels is basically doomed. Forever. The Register: The last twelve months tells us we have insecure devices connected through gateways, sending …

Anonymous Coward

Moral

Cisco is insecure and will be forever. Maybe it says enough that I fear them adequately to post this anonymously.

3
0
Anonymous Coward

It would be useful if every O/S and every app came with a description of what access to the internet it needed. At least that would give a chance of seeing/blocking low and slow leakage. Knowing what were legitimate IP addresses would help - unless virtual server farms only differentiate HTTP destinations on other parameters in the headers?

1
1
Silver badge

Maybe

But Android (to take one example) already does something similar. What proportion of users do you think read that message about "this app requires access to your location, pulse rate, bank account, ..." before clicking 'install' on their 'must have' game? I'd bet it's <<1%.

0
0
Bronze badge
Paris Hilton

And one of the most idioticaly insecure ideas is IoT, without an strong emphasis on security

Too many IoT devices have really quite pathetic security including stupid system design, that includes many routers! This is quite blatantly because of rushed bad management, which I've see the consequence of in commercial product I've had to spend ages iteratively rebuilding securely!

I look and throw my hands up in horror at how stupid and sloppy the IoT system designs are, so no NEST, or various other proprietary controller appliances for me! WTF is the Nest remote mains powered for? It should be a low power, battery powered, wireless (not WiFi) mesh terminal for smarts in a /wired LAN/ central switch box!

All IoT should only talk via an easily upgradeable hardened gateway server device, not directly with a remote internet server, otherwise it will eventually become an open insecurity puss filled sore!

I'll get my Body Armour.

2
0
Anonymous Coward

So....

Defense in depth out.

We trust an outside vendor with all our security.....

WTF!!!!

5
0
Silver badge
Childcatcher

Re: So....

All enterprise are eagerly looking for ways to outsource security, look for ways to manage security on their behalf.

The sales force is strong in this one! While I agree with some of his points, this one is way off. Yes, there are probably some companies out there trying to cut costs in this manner. They are run by the same guys that will bail with a hefty bonus when this particular bird comes home to roost. My counter-suggestion is to outsource management first.

4
0
Silver badge

His view

The corporate view is one of farming the vulnerabilities of the market. His story would be different if he had other interests. Things could be very secure if that was the actual priority and users were willing to go along with that. That said, he's generally correct because the market isn't going to go off in his/her own direction and eschew the vulnerability causing complexities of bling.

5
0
Silver badge

Re: His view

True, things could be very secure, but not completely secure. Even if people could be persuaded to pay extra for very secure, and to wait for the extra time it takes to develop and test 'very secure', there would still be holes.

We still need to develop a culture that accepts that security breaches will happen, in the same way that houses will catch fire or get flooded. We need to work to minimise the chances of it happening, but we also have to develop and implement systems and procedures to minimise the damage when it does, inevitably, happen.

1
0
Silver badge

Security?

Security costs money which equals profit. So much security can we really expect from any supplier of IoT?

2
0

This post has been deleted by its author

Anonymous Coward

NSA on a keychain

Welcome to the future.. just load LightEater(tm) onto a BadUSB payload and provision it onto a memory stick in the shape of the NSA office building. You can probably get a plastic model of it made in China for a few cents.

Plug it into any device on the network that you desire to own, and the NSA-in-a-box will go to work, auto discovering a few thousand exploits per second until one of them works, and a little smiley face appears on the display.

Easy peezy Japaneezy..

0
0

This post has been deleted by its author

Security is easy

There is an RFC that makes network security a trivially easy thing. All that we need to do is update it for IPv6:

https://www.ietf.org/rfc/rfc3514.txt

We just need to get EVERYONE to fully implement this RFC, and the network security problem is solved forever.

2
2
Silver badge

Re: Security is easy

Oh dear, Ollie - 2 downvotes already. You should really have used the 'Joke Alert' icon, for the benefit of those not familiar with 3514 (issued 1 April, 2003).

2
0

Re: Security is easy

...and there was me thinking that Reg readers read and understood things before commenting or up/downvoting.

Thanks for pointing out the publication date of the RFC. It's an amusing read.

2
0
Silver badge
Joke

Re: Security is easy

Reg readers read and understood things before commenting or up/downvoting

You forgot the joke icon again!

2
0
Silver badge

Network guy thinks the answer to security problems is on the network - I'm shocked...

1
0
Gold badge
Unhappy

And as long as THE PATRIOT Act stays in force

You can bet that situation will never improve.

1
0
Anonymous Coward

His major point is basic common sense.

Security is an arms race and the invaders are evolving at the rate they need to to outwit defenders. That's true in tech, it's true in your home, your immune system, your country and etc.

The question that never seems to get asked even though it really, really should be is 'Do I need to connect this to a global network and does my need outweigh the potential risks?'

I don't see any benefit which would persuade me that connecting a SCADA network to the public internet is worth the risk and, though both the risks and the rewards are more personalised, I can't understand anyone wanting to connect their fridge, their oven or their car either.

0
0
Silver badge

Well... but we are talking about Cisco... this is the company which at least until recently, had all processes on their equipment run in the same address space.

This is also the company which installs cheap router grade software on expensive storage appliances, or the same company which sells VoIP telephones you can ssh into, but they have an authorized_keys file.... which they get via TFTP.

With Cisco there just isn't any indication that they care about security.

0
0
Anonymous Coward

Agree, and in part their lack of interest is the world's lack of interest.

Outside security professionals and high profile celebrities you'll find next to noone who thinks security is important enough to pay attention to. That's why connecting everything to the internet feels like a fundamentally stupid idea to me.

The Cisco CTO has a vested interest in talking up security as an issue but then offering Cisco as the trusted brand name to solve it. The rest of us should think hard about whether the issue is actually worth solving before thinking about whether we even trust them to do it.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017