And i love that quote, because it suggests the existence of another - very slow, but very high troughput network, human to human, embedded device to embedded device. You could even go without centralized infrastructure there.
Just the organisms formed by the devices ( a line of home-routers is a "street", a group of devices meeting every morning is a "bus" etc.) and the routing address is basically a "interaction" with data-organism map route-finding. No ISP involved anywhere. But your info still gets to the airport, hops on a cellphone and gets to the goal.
> And i love that quote, because it suggests the existence of another - very slow, but very high troughput network, human to human, embedded device to embedded device
This is the network that operation Olympic Games used to get Stuxnet into the Natanz facility. Contactor laptops are a major part of that network.
It's just like how we once used UUCP and Fidonet for email / news / message boards to remote systems that only had intermittent dialup connectivity in the 1980s and 1990s. Pockets of local communities would pool together to share a single system that would make the long distance calls to another city to send and receive messages. That really helped when long distance cost $0.34/minute and could be shared by hundreds of end users.
For the old SunRay thin clients one could disable the USB ports by policy (and enable for certain users, iirc). That was an important feature there, as one intended application was as public kiosk systems, e.g. in a library.
The same is possible in Windows 10 and 11, but the users will revolt, if a sysadmin were to enforce such (the same users who insist on using Windows instead of a more secure system).
> For the old SunRay thin clients one could disable the USB ports ....
>The same is possible in Windows 10 and 11, but the users will revolt, if a >sysadmin were to enforce such (the same users who insist on using Windows instead >of a more secure system).
Can I add a little more colour here (and have worked in and designed-for very secure environments) - users will revolt if removing the USB ports makes their life more difficult. This can work if there is an effective feedback loop that makes sure the users can still do their jobs efficiently in the absence of USB ports, and corrects for them when they can't. Users won't go around something unless it gets in their way!
Plenty of organisations enforce "no USB devices" on all their users. Not even super secure places, but just many regular admin-type office workers get their USB ports disabled in software.
Partly it's to prevent leaking of company secrets, unauthorized use of corporate devices for home use, harder to track the location of data, as well as the possibility of malware.
> Interesting. So no USB camera, headset, etc either?
My workplace has a policy of no USB storage devices (though you can request an exception). By default, other USB devices work, and storage devices are mounted as read-only.
I don't think the goal is so much system security as preventing data breaches/data exfiltration.
I work in finance, and this sort of setup is pretty common. Yes, I have a USB headset and camera for calls. My USB keyboard and mouse work just fine. If I plug my phone in, best I can do is charge it (slowly), so I use a wall-plug charger instead.
I could easily bypass the policy since I have the permissions to do so, but I won't. Working in the trading/hedge fund space, it's not unheard of to see employees sued for stealing trade secrets (quant models, for example). One only needs to search "citadel sues former employees" for examples.
edit: former Citadel employee; have not worked there in over a decade.
The few occasions I worked in a bank, our client made it very clear that anyone inserting an USB drive anywhere would be walked to the front door by security within an hour.
Today the malware can be in a cable, it doesn't need to be a drive. Some of these cables also behave like they should, so they are difficult to notice.
I used a Sun Ray thin client on an airgapped network in my first job, working for the government. They were perfect for this.
No persistent storage, so no concerns about easily recoverable classified data sitting on desks. You could disconnect from your session and pick it up again in the other office across town, or just leave your stuff running overnight.
I had a PS/2 keylogger disguised as an extension cable, controllable by specific keystroke and it would dump its records as typed text... Simple and efficient !
But it still cuts down on attack surface, no? Most USB hacks are via ignorant employees plugging in compromised usb drives/devices or am I missing something here? The hot glue is a significant reminder that you add “you can be fired for misusing company computers” to the company employee manual
Depends. It won't help against exploitative firmware or shocker devices, but most USB exploits don't come with zero-day firmware exploits or even require user interaction, which this policy will prevent.
Additionaly, even when attacked with such extreme measures, most users won't try to plug in planted, potentially malicious USB devices if they don't expect them to work.
In organizations where only HID USB devices are allowed, not mass storage? I'm not aware of any reported successes in that environment, although it's theoretically possible (Heck, you could even have your evil HID-presenting SOC USB stick open a command prompt and type in the malware if it detects a long enough lapse in input without an obvious screen lock command).
It is, but if your organization completely forbids any non-HID USB devices, users are less likely to try their found USB stick on a company PC, since they don't expect it to work anyway.
But isn’t part of security realizing that there is no 100% solution? It’s all about probability. Air gapping cuts down on the number of interactions with the network at large. Lots of packet drops that will never reach it, easy to make sure the number of ports available to interact with it? I worked at places with 25 year old DOS running in a VM running multi-million dollar machines and they had never been infected with anything, probably because they are air gapped and who can “touch” them is quite limited to trained personal only.
> But isn’t part of security realizing that there is no 100% solution? ... Air gapping cuts down on the number of interactions with the network at large.
My point is that, practically speaking, most companies don't have the discipline to actually keep an air gap up, long-term. You inevitably need to get data in and out of the air-gapped systems.
The "air gapped" networks I've seen end up not actually being air gaps. Real air gaps are inconvenient, so eventually somebody installs a dual-homed host or plugs the entire segment into a "dedicated interface" on a firewall. Even without that, contractors plug-in random laptops and new machines, initially connected to the Internet to load drivers / software, get plugged-in to replace old machines. The "air gap" ends up being a ship of Theseus.
I had a Customer who had DOS machines connected to old FANUC controllers. They loaded G-code off floppy diskettes. Eventually those broke and they started loading G-code over RS-232. The PCs didn't have Ethernet cards-- their serial ports were connected to Lantronix device servers. It wasn't ever really an air gap. It was a series of different degrees of "connectivity" to the outside world.
"At best, an air gap is a high-latency connection" -Ed Skoudis - DerbyCon 3.0