Well, he’s right too

President-elect Donald Trump has repeatedly questioned whether critical computer networks can ever be protected from intruders, alarming cybersecurity experts who say his comments could upend more than a decade of national cybersecurity policy and put both government and private data at risk.

Asked late Saturday about Russian hacking allegations and his cybersecurity plans, Trump told reporters that “no computer is safe” and that, for intelligence officials, “hacking is a very hard thing to prove.”

“You want something to really go without detection, write it out and have it sent by courier,” he said as he entered a New Year’s Eve party at Mar-a-Lago, his Florida resort.

Step one in making your computer more secure is to disconnect it from the internet.

Step two is to disconnect it from any network at all, especially any that might have even the most vague and multi-step connection to the internet.

Then remove all floppy drives, USB ports, pen drives and etc.

Then watch as your sys admin loots it a la Ed Snowden.

So why is Trump’s simple statement of the obvious truth alarming experts?

36 comments on “Well, he’s right too

  1. It means their snooping may be under threat too.

    Knowing what Trump is up to has to be part of their plans to control/neutralise him.

  2. Jeeze, are you still using floppies in Portugal, Tim?
    That’s only one step away from having your scribe producing illustrated manuscripts of your data on vellum.

  3. I read some people on a forum saying things like “this twat Trump” and generally, the guy talks a lot of nonsense, but he’s spot on here.

    I also do not believe that the CIA or FBI can know who hacked this unless they have an insider in the FSB or Wikileaks. And honestly, I’m almost certain that the democrat hack is an insider. Email servers are a hard target.

  4. Email servers are a hard target.

    Unless they are installed in the basement by an amateur. Like, say, for Secretary of State Clinton.

    I heard the DNC “hack” was a spearphishing operation against Podesta. So that would exploit the weakest link in any security scheme: the fuckwit between the screen and the chair.

  5. @BiW,

    The question is not whether the CIA has insiders in the FSB and Wikileaks, it’s how many it has.

  6. The nuclear arsenal still uses floppies, I believe.

    The best way to achieve security is to never write things down in the first place. Failing that, paper is quite good too.

  7. Bloke in Wales,

    Yes, indeed. But I just mean that I’d mostly likely guess a web server hack was external using something like SQL Injection, while I’d normally guess a mail server attack (on a well maintained server) was internal. But yes, a poorly maintained server…

  8. If he’d said the opposite the condemnation would have been equally loud (“What kind of idiot says that we can secure computers on a network. If you want it secure, unplug it.”). I can see that Trump Derangement Syndrome is going to be of a magnitude we haven’t experienced before.

  9. The DNC staff shared passwords with each other. To believe it was a Russian hack involves taking William of Ockam outside, shooting him in the head and then burying him and his Razor in a shallow grave in the garden.

  10. Two things:

    1. Systems are shipped from the manufacturers with default accounts, like ‘sysmanager.’ Job One when I set up new systems was to create admin accounts and lock/delete the default accounts.

    A dozen times I saw professional computer people fail to do this. I wouldn’t be surprised at all if the people who set up Hillary’s server failed to do this.

    2. The weak link is humans. Trump & Tim are correct: when outside access is available, it only takes one human to enable access (whether intentional or by stupidity).

    Okay, a third. Several times I saw systems set up such that login attempts were not metered. Through remote access and knowledge of a username, millions of login attempts succeeded in achieving a login thru brute force. All systems that I had influence over were setup with 3-and-out login. 3 bad login attempts and you were disconnected.

    I have no knowledge of Hillary’s server, but, again, I wouldn’t be surprised if it was setup with unlimited login attempts.

    People believe that hacking computers requires genius, but usually it is mundane, simple failures on the part of administrators.

  11. Rob is spot on. John Podesta was using a bloody Gmail account. All it took was a disgruntled DNC staffer after Bernie’s shafting to dump the entire archive.

    Ask Seth Rich. Oh you can’t. He’s dead.

  12. And what Trump is probably commenting on is the relentless volume of hack attacks coming from China, GCHQ, Russia and every script kiddie and pro alike.

  13. “You want something to really go without detection, write it out and have it sent by courier,” he said

    Because there is absolutely no history of couriers and letters being intercepted, say for example, between Mary and the Spanish Ambassador by Walsingham’s agents.

    If someone wants to intercept/obtain information no matter how you send it or store it, they will.

    Probably the most secure is carrier pigeon, but then they would have to get past the hawk, so nothing is 100%.

  14. Email servers are a hard target.

    Never have been, never will be.

    Email protocols (particularly email reading protocols) are too complex and mail servers are generally too exposed.

    But, yes, the human is often an easier target.

    But the important point being that once you have got one human, you can usually pivot to get the entire server.

  15. So that would exploit the weakest pink in any security scheme: the fuckwit between the screen and the chair.

    Usually referred to in the industry as either a “peck” or a “Layer 9” problem. “Problem exists between chair and keyboard” or as an extension of the OSI 7-layer model to incorporate humans at layer 9. What exactly is Layer 8 is a matter for beer-fuelled dispute.

  16. Not just any paper: write it in lemon juice on cigarette paper, the recipient to eat it afterwards. At least that’s what our “gang” did in the long ago. You can also communicate using waxed string held taut between two old cans.

  17. A non-trivial number of hacks on mail servers I have seen have been through the web admin interface that the monkey that installed it forgot to lock down. Two notable offenders were RoundCube and iRedMail. Unless you’re a bona fide expert sysadmin, you sort of have to go with the canned packages. Installing a full-blown email system is really tricky, and subject to the problem that tying it down really tight almost always makes your users howl, and then they make you loosen it up again, which is another point at which you often get breached. There are other routes into a system as well. It’s amazing how many systems have an outward-facing SSH server with password authentication enabled on sudo-authorised user accounts. And they don’t have even minimal IDS like fail2ban, so you can bang on the login until you get in, and then you are god.

  18. So Trump merely questioning whether systems are secure puts data at risk.

    That’s a massive non-sequitur if I ever saw one.

    Cos if the security isn’t questioned, then the security isn’t at risk is it?

  19. You don’t understand, do you?

    My facebook feed is full of panicky crap from my anti-Trump acquaintances, many of them truly experts or experienced in various fields of computer system architecture, security, cyberwarfare etc etc,

    What these folk see is the Donald calling for anarchy etc:

    “Basically Trump is giving up on the idea of civilization and declaring anarchy as the norm. We shouldn’t have door locks because anyone can break into a home “no house is safe either”. He doesn’t have a clue about technology. So he would reward Putin rather than punishing him?!”

    “It is a form of denialism – if we can’t predict climate change with 100% precision we can ignore it. If we can’t predict ourselves then it’s our fault. No sense of having a police department or societal mechanisms.

    A 19th (or 15th) century president in the 21st?”

    “Actually he’s setting a precedent for having no searchable records, so no foia etc responses.”

    Goodness lawks-a-mercy…

  20. “Actually he’s setting a precedent for having no searchable records, so no foia etc responses.”

    Dumbasses. Sitting President is exempt from FOIA due to Presidential Records Act of 1978.

    But we don’t want the facts to stop the snowflakes from panicking. It is so much fun.

  21. I can see we’ll have 8 years of fun with Mr Trump. Maybe even get stuff done different, what with a non politician who does understand how business works being in charge.
    What sort of person can follow him? Opened the door for other non politicians to run for the job.

  22. My facebook feed is full of panicky crap from my anti-Trump acquaintances, many of them truly experts or experienced in various fields of computer system architecture, security, cyberwarfare etc etc,

    Interestingly, my Faceache feed, with a limited number of cyber-security experts (because that’s for actual friends) and my LinkedIn, which is gagging with the nerds (’cause that’s for colleagues) has absolutely none of this.

    Maybe that’s because we’re all to busy cyber-warring?

  23. SE – I see plenty of anti Trump stuff on facebook in various groups and among those in my list.
    I see none of it on LinkedIn, possibly because people are talking about more important stuff.
    Strangely the busiest forum I spend time on has a lot of Americans on it, the political stuff tends to focus on political impact on what we are discussing rather than particular politicians or beliefs. For example discussing a particular modular piece of software and whether it would be exportable under current or proposed laws.

  24. Oh, I see plenty of anti-Trump stuff. I’ve got one friend who was fully in the bag for Bernie and the usual collection of “friends and relations” who think that Trump’s election was the 2nd sign of Ragnarok.

    What I don’t see is a lot of fuss from the (cyber) security community. As Tim said, this is olds not news. There is an old, possibly apocryphal, attributed to the FBI quote about secure computers. It ends up with the computer being buried and a field and the map destroyed. And even then he’s not sure (supply chain interference, for example.)

    Mind you, as somebody who writes exams and does professional qualification assessments for cyber security “experts”, the old saw about only needing to be half a step ahead of the herd is most apposite. Lots of them aren’t actually very good.

  25. Craig Murray may be wrong about many things, but I trust him to tell the truth more than I trust the FBI and the CIA. So if he says he personally knows that it was a leak, that’s good enough for me. Kind of puts all this headless chicken stuff in perspective as well.

  26. Craig Murray may be wrong about many things, but I trust him to tell the truth

    I vaguely suspect Murray might be usually honest but I don’t think he would recognise the truth if it was naked and giving him a lap dance.

  27. Here is the Craig “I’ve got important mates” piece.

    It doesn’t say anything ‘wrong’ but it is a hearsay opinion from somebody now out of the loop (or he wouldn’t be giving his opinions on such matters to obvious security problems like Craig.) The question is not whether Russian hackers were being observed but whether one group’s activities against a group of people who would moan like offended SJWs if they got an inkling any part of their activity was under NSA surveillance was. And the answer seems to be either “no” or “no comment because secrets.”

  28. “Problem exists between chair and keyboard”

    Yes, commonly abbreviated as PEBKAC. I went with “screen” above because I was thinking a keyboard would be too high tech for a politician.

  29. @ SE
    For real security shouldn’t the field as well as the map be destroyed? I was quite happy with the original version of your post.

Leave a Reply

Name and email are required. Your email address will not be published.