Yet another, "oops":

<https://techmonitor.ai/technology/cybersecurity/intel-confirms-source-code-leak>

I'm small so I can afford more draconian measures to keep my IP safe (from
all but physical attack) without incurring significant costs/inconveniences

But, how do "bigger firms" (hundreds of people wanting internet access
along with access to the corporate internet) safeguard their IP? Unless
you really clamp down on the services allowed through your perimeter
defenses, it's a nightmare to reassure yourself that there are no new
0-day exploits (or even "recognized-but-not-yet-patched" exploits)
that can eat your lunch. Esp if you are actively updating those
systems.

On 2022-10-14 12:08, Don Y wrote:
> Yet another, "oops":
> [Deleted...]
> [...] it's a nightmare to reassure yourself that there are no new
> 0-day exploits [...] Esp if you are actively updating those
> systems.
>

That's an interesting observation, if that is what you really meant
to say. Did you?

Jeroen Belleman

On 2022-10-14, Don Y <blockedofcourse@foo.invalid> wrote:
> Yet another, "oops":
>
><https://techmonitor.ai/technology/cybersecurity/intel-confirms-source-code-leak>
>
> I'm small so I can afford more draconian measures to keep my IP safe (from
> all but physical attack) without incurring significant costs/inconveniences
>
> But, how do "bigger firms" (hundreds of people wanting internet access
> along with access to the corporate internet) safeguard their IP? Unless
> you really clamp down on the services allowed through your perimeter
> defenses, it's a nightmare to reassure yourself that there are no new
> 0-day exploits (or even "recognized-but-not-yet-patched" exploits)
> that can eat your lunch. Esp if you are actively updating those
> systems.

They upload them to Microsoft / Google / Amazon so they have someone to blame
when they do get leaked...

Our company went from outright banning of cloud storage to mandating OneDrive :(

--
Ian

"Tamahome!!!" - "Miaka!!!"

On 10/17/2022 3:49 AM, Ian wrote:
> On 2022-10-14, Don Y <blockedofcourse@foo.invalid> wrote:
>> Yet another, "oops":
>>
>> <https://techmonitor.ai/technology/cybersecurity/intel-confirms-source-code-leak>
>>
>> I'm small so I can afford more draconian measures to keep my IP safe (from
>> all but physical attack) without incurring significant costs/inconveniences
>>
>> But, how do "bigger firms" (hundreds of people wanting internet access
>> along with access to the corporate internet) safeguard their IP? Unless
>> you really clamp down on the services allowed through your perimeter
>> defenses, it's a nightmare to reassure yourself that there are no new
>> 0-day exploits (or even "recognized-but-not-yet-patched" exploits)
>> that can eat your lunch. Esp if you are actively updating those
>> systems.
>
> They upload them to Microsoft / Google / Amazon so they have someone to blame
> when they do get leaked...

That *could* work; at least it could provide an accounting as to who
accessed the materials.

But, once pulled down to local media, you're back in the same boat;
how do you protect "Bob's copy" from being accessed/leaked.

> Our company went from outright banning of cloud storage to mandating OneDrive :(

<shrug> I never saw the appeal of out-storing YOUR data.
Likely part of that oscillating strategy of internal/external,
diskless/workstation, etc. choices.

"Everything comes back in fashion -- if you wait long enough!"

Don Y wrote:
> Yet another, "oops":
>
> <https://techmonitor.ai/technology/cybersecurity/intel-confirms-source-code-leak>
>
>
> I'm small so I can afford more draconian measures to keep my IP safe (from
> all but physical attack) without incurring significant costs/inconveniences
>
> But, how do "bigger firms" (hundreds of people wanting internet access
> along with access to the corporate internet) safeguard their IP?  Unless
> you really clamp down on the services allowed through your perimeter
> defenses, it's a nightmare to reassure yourself that there are no new
> 0-day exploits (or even "recognized-but-not-yet-patched" exploits)
> that can eat your lunch.  Esp if you are actively updating those
> systems.
>

It's a matter of estimating risk, multiplying by cost of a failure
and otherwise guessing. There's a whole chain of command specialized in it.

If a sufficiently-interested and capable party wants to get you,
you get got. That's mostly human engineering these days.

The last Fortune 500 I worked for, we airgapped all product development.

All work was done in a (disposable) VM in addition. We had reference
images of the VM ( without SCM data ) on something optical for
recreating VMs.

Telemetry was done locally onsite and only accessible thru SFTP offsite
and then deleted on the source side. If I wanted telemetry for testing,
I had to either use that or drive to the site.

--
Les Cargill

On 10/19/2022 12:22 PM, Les Cargill wrote:
> Don Y wrote:
>> Yet another, "oops":
>>
>> <https://techmonitor.ai/technology/cybersecurity/intel-confirms-source-code-leak>
>>
>> I'm small so I can afford more draconian measures to keep my IP safe (from
>> all but physical attack) without incurring significant costs/inconveniences
>>
>> But, how do "bigger firms" (hundreds of people wanting internet access
>> along with access to the corporate internet) safeguard their IP?  Unless
>> you really clamp down on the services allowed through your perimeter
>> defenses, it's a nightmare to reassure yourself that there are no new
>> 0-day exploits (or even "recognized-but-not-yet-patched" exploits)
>> that can eat your lunch.  Esp if you are actively updating those
>> systems.
>>
>
> It's a matter of estimating risk, multiplying by cost of a failure
> and otherwise guessing. There's a whole chain of command specialized in it.

Yes -- and, apparently, often guessing wrong! :>

> If a sufficiently-interested and capable party wants to get you,
> you get got. That's mostly human engineering these days.

But relies on them being able to get access to those people
AND having those people have access to the things they want to capture.

> The last Fortune 500 I worked for, we airgapped all product development.

That's how I operate. We have three different (and isolated) internets
active, here. *This* one just has this machine for email/WWW and a
printer for anything that we might want hard-copies of (like
"bring this notice to your vaccination appointment")

The office runs on its own network and can't "phone out" (nor can anything
"phone in"!). So, the various binaries that I use -- as well as my IP -- are
isolated. In the event something gets *into* the network (e.g., via
something sneaker-netted), there's no way for it to direct anything *out*.

But, I would imagine having an entire organization having to use different
machines for outside communication vs. internal development would be
tedious (dunno, my last 9-to-5 predated the internet and email).
Any mechanisms (bastion host) to make this easy/convenient would be
potential attack surfaces (vs. the absence of such in my scenario).

> All work was done in a (disposable) VM in addition. We had reference images of
> the VM ( without SCM data ) on something optical for recreating VMs.
>
> Telemetry was done locally onsite and only accessible thru SFTP offsite
> and then deleted on the source side. If I wanted telemetry for testing,
> I had to either use that or drive to the site.

I rely on FTP even between local machines in the office. SMB shares being
too easy to mess up. (And, there are devices that don't support network
file systems that *do* host FTP sessions).

But, again, all of this comes at a cost in terms of convenience. I'm
not sure how many firms can impose those sort of measures, esp with
the tech wizards CLAIMING they can keep things secure (I always ask
them, "Then why are you working here instead of at <big-name-firm>
who was recently pwned and could obviously benefit from your INFALIBILITY?"

<crickets chirp>