As annoying as it is that yet another company has pants on head retarded security practices surrounding responsible disclosure, finishing up this post with a thinly veiled advertisement for a...
As annoying as it is that yet another company has pants on head retarded security practices surrounding responsible disclosure, finishing up this post with a thinly veiled advertisement for a commercial product seems rather poor form and leaves me questioning the entire thing.
That seems like an overreaction, even from a security-conscious person. Throwing away $5,000 worth of hardware (instead of... unplugging them) without any real evidence they'd been infected.
In the subsequent days and weeks, I reset all of my passwords, threw away all my computers, bought new computers, factory-reset my phone...
That seems like an overreaction, even from a security-conscious person. Throwing away $5,000 worth of hardware (instead of... unplugging them) without any real evidence they'd been infected.
In his defense, his threat model, as the head of a well-known company that makes tools for people who need high levels of encryption, is very different from your threat model or mine. Like,...
In his defense, his threat model, as the head of a well-known company that makes tools for people who need high levels of encryption, is very different from your threat model or mine. Like, targeted attacks by nation states are probably in-scope.
I agree. It seems crazy at first blush, but they're a security company. They've taken over $10M in funding and have a significant number of employees and offices in four of the most expensive...
I agree. It seems crazy at first blush, but they're a security company. They've taken over $10M in funding and have a significant number of employees and offices in four of the most expensive cities in the US (NYC, Seattle, Chicago, and SF).
$5000 is nothing compared to the risk of the company's CEO being compromised. That has the potential to be a company-ending event, and it's absolutely not worth taking that chance (however unlikely it is) to save $5000.
No, yeah, that's fair. Unless he has a very minimal set up on his phone (and maybe even then), I would likely have suggested a new phone if he's getting all new other hardware.
No, yeah, that's fair. Unless he has a very minimal set up on his phone (and maybe even then), I would likely have suggested a new phone if he's getting all new other hardware.
Based on his position as the CEO of a security/encryption company, his threat model is definitely different from most of ours, and someone having "spiked his hardware" (think nation-state level...
Based on his position as the CEO of a security/encryption company, his threat model is definitely different from most of ours, and someone having "spiked his hardware" (think nation-state level stuff, like the Equation Group's hard drive firmware malware) is definitely not out of the question.
Because this exists: https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ https://www.eset.com/int/uefi-rootkit-cyber-attack-discovered/
As annoying as it is that yet another company has pants on head retarded security practices surrounding responsible disclosure, finishing up this post with a thinly veiled advertisement for a commercial product seems rather poor form and leaves me questioning the entire thing.
That seems like an overreaction, even from a security-conscious person. Throwing away $5,000 worth of hardware (instead of... unplugging them) without any real evidence they'd been infected.
In his defense, his threat model, as the head of a well-known company that makes tools for people who need high levels of encryption, is very different from your threat model or mine. Like, targeted attacks by nation states are probably in-scope.
I agree. It seems crazy at first blush, but they're a security company. They've taken over $10M in funding and have a significant number of employees and offices in four of the most expensive cities in the US (NYC, Seattle, Chicago, and SF).
$5000 is nothing compared to the risk of the company's CEO being compromised. That has the potential to be a company-ending event, and it's absolutely not worth taking that chance (however unlikely it is) to save $5000.
By that token, why spend $5k on a new computer but not any money on a new phone?
No, yeah, that's fair. Unless he has a very minimal set up on his phone (and maybe even then), I would likely have suggested a new phone if he's getting all new other hardware.
I'm confused why Max didn't just reformat his computer... unless someone spiked his hardware, that would fix any potential intrusion.
They could've have a rootkit, bios exploit, etc. Unlikely, but $5000 is nothing for him or his company, so why take the risk?
Based on his position as the CEO of a security/encryption company, his threat model is definitely different from most of ours, and someone having "spiked his hardware" (think nation-state level stuff, like the Equation Group's hard drive firmware malware) is definitely not out of the question.
Because this exists:
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
https://www.eset.com/int/uefi-rootkit-cyber-attack-discovered/