Posts by pc-fluesterer.info 184 publicly visible posts • joined 23 Feb 2020
Which part do you regard as 'reasonably secure'? Lets have a look.
Firewalls and other network gear from Cisco, Citrix, and the rest of the breed: NO.
Everything from Microsoft: NO.
Database from Oracle or the like: NO.
Cloud computing at Amazon, Google, Microsoft: NO.
TBC.
Let alone compliance with best practice (least privilege, brute force protection, MFA, you name it).
There are two CSF:
1. Do not, repeat NOT, employ proprietary (closed-source) products. They are riddled with backdoors, from network appliance to backoffice. With FOSS there is still no guarantee, but you are better off by orders of magnitude.
2. Adhere do best practice (least privilege, MFA, you name it).
"invent a computer that can't be compromised by opening a malicious email attachment or clicking on a malicious web link"
No need do reinvent the wheel, because it does exist already. Use FOSS (Linux, LibreOffice and the like) AND adhere to best practice (least privilege, network segmentation, you name it). Replace ALL proprietary network gear. Just one current example: https://www.theregister.com/2026/01/08/rcisco_ise_bug_poc
No one said that the migration from the current M$ biotope to a safe system will be easy, but it is possible - and necessary!
A protection easy to to employ is: NoScript. On unknown domains it keeps JS blocked by default, which is an very sound approach. Beyond that you can block "untrusted" domains (tracking, ads) for good, and of course you can allow JS for trustworthy domains.
Granted, this protection fails if a "trustworthy" domain is hacked and altered.
If you don't control EVERYTHING in the device, including baseband, you never know which backdoors may be hidden in the proprietary HW and code. Qualcomm is a US-firm that has gotten a NSL for sure. Qualcomm has a record of security holes suspected to be backdoors. I for one wouldn't put money on this device.
In the report I can read (part of Initial Access TTPs):
- Outlook NTLM vulnerability (CVE-2023-23397)
- Exploitation of Internet-facing infrastructure, including corporate VPNs [T1133], via public vulnerabilities and SQL injection [T1190]
- Exploitation of WinRAR vulnerability (CVE-2023-38831)
What would the use of FOSS change here?
No more questions.
Yes, you could make life easy and blame attacks on not employing MFA.
But if you use network gear riddled with backdoors for the three-letter-agencies, you are lost. Anyone remember the US-Telcos case?
The only fundamental solution is the migration to FOSS on all levels from network gear to the back office servers.
Denmark and Estonia both have built their Civil Services completely on FOSS. Ransomware attacks are plain unknown.
So, what ramifications will follow?
None, of course.
Perhaps a bit of user training, because a user was the culprit, no?
But I bet that they will continue using M$ and other closed-source sh.t, buggy and riddled with backdoors.
Consider migration to FOSS? Oh, nooo!
Before that could happen the hell freezes over.
Oh well.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2026
