Air gaps never exist (2011)

tlrobinson 10 years ago |

Doesn't "air gapped" imply physical separation? Putting a firewall, even if it's totally locked down, between two networks does not make it "air gapped".

delinka 10 years ago | |

You can get physical separation with WAPs, too...

kinghajj 10 years ago | | |

Technically that's not physically separate, as photons are physical entities.

jimrandomh 10 years ago |

> "How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website."

Sounds like the real problem was they didn't have a better mechanism for getting things like that in. If a security system stops people from doing their jobs, they'll poke a hole in it unless you provide a better option.

AnimalMuppet 10 years ago | |

> Sounds like the real problem was they didn't have a better mechanism for getting things like that in.

Any mechanism for getting things like that in is a break in the air gap, by definition. (Well, by a strict definition.) But at least a better mechanism would be managed by security policy, not by underlings' need to get their job done. (That is, the security policy would have to take into account the need for updates as well as the potential security implications of importing new executable code from outside.)

elchief 10 years ago |

Pedantically, not a "gap" if there's a network cable going to another network...

jis 10 years ago | |

Years ago I was told by a colleague that he was required to setup an administrative system that was NOT connected the network, but also had to be able to send and receive e-mail.

The inherent contradiction was lost on the people giving the orders. So...

Nadya 10 years ago | | |

Well he was an expert.. wasn't he?

https://www.youtube.com/watch?v=BKorP55Aqvg

(Draw seven perpendicular red lines)

msm23 10 years ago | | |

Never thought I'd see it, but here's the solution to the expert problem:

https://www.youtube.com/watch?v=B7MIJP90biM

Credit to D. Scott Williamson, Expert

Nadya 10 years ago | | |

My personal favorite solution: http://i.imgur.com/fdHpJS4.png

jib 10 years ago | | |

That sketch annoys me. Sure, marketing/sales/PM/design guys are idiots, whatever.

Here are 11 things "I can't do it" can mean:

I don't have time

I don't want to

I don't have anyone who knows how to

I want someone else to do it

I don't want to maintain it once built

I want to work on this other thing

Doing it would take away job security for me

I think it is beneath me

You're not going to use it anyway

I don't think it is worth doing

I think it is too expensive

I think it would be easyish to fill out another 10 reasons for what "can't" really means that are more common than "it is flat out impossible regardless of budget/resources".

Nadya 10 years ago | | |

>I think it would be easyish to fill out another 10 reasons for what "can't" really means that are more common than "it is flat out impossible regardless of budget/resources".

Yes. But the skit isn't about that.

I often get impossible tasks from managers. Luckily when I tell them why they actually listen and aren't purposefully obtuse like the team from the skit. But the obtuse manner of the meeting is part of the comedy. Sometimes the management/sales/marketing team just doesn't get it.

The most common request?

"Please enhance this 92x92 .jpg logo x5-x10 its current size without lowering the quality of the logo."

My most common pushback?

"Sure. Get with their designer and get me the original file, be it .psd or .ai so that I can work with a larger resolution copy of the image. If they don't have the original file for their logo, you are asking for one of two things: 1) Recreate their logo or 2) The impossible. If (1) my answer is no. If (2) my answer is with modern technology, I can't."

I've also been asked to uncrop photos. Not as in "restore a backup from before we saved over it with a cropped version" but literally uncrop a photo.

I don't necessarily blame these people or get angry with them. I blame CSI and other investigative shows where they "enhance" a blurry photo to 4k crystal-clear resolution and read the reflection off of a button of a guys' jeans to read the licence plate of his car. They've been told this shit is possible by TV shows that use just-enough real tech to make the fake tech seem real to people outside of the loop.

kbenson 10 years ago | | |

The crazy thing is that the fake tech is also often actually real, but real in the sense that there's a recent academic paper where in certain specific conditions they were able to do what is being asked ask by using lots of math, domain knowledge, and custom programming, at a total cost of hundreds of thousands to millions of dollars when it's all done.

Does that help you in any way in a commercial setting? No, unless you are Google or Apple or the like and it's not a simple request but the basis of a new business division.

andreyf 10 years ago | | |

> I don't necessarily blame these people or get angry with them. I blame CSI and other investigative shows where they "enhance" a blurry photo to 4k crystal-clear resolution and read the reflection off of a button of a guys' jeans to read the licence plate of his car.

I wouldn't get angry with them, but I would certainly blame them for thinking something is possible which a small child should be able to tell is not. I would advise you avoid working with people who believe computers are literally magic, as your life will be much better.

vacri 10 years ago | | |

Half of those are perfectly valid responses. "I don't have time" or "I don't know anyone who knows how" or "it is too expensive" - these aren't the passive-aggressive responses that you're implying.

kbenson 10 years ago | | |

Those aren't the responses, otherwise it would be fine, you would be accurately communicating the actual problem. Instead, those are the underlying reason for just saying "I can't do it" instead of being forthcoming.

cpdean 10 years ago | | |

+1, parenthetical

tetraodonpuffer 10 years ago | | |

if the requirement is just email, seems like it would be quite feasible to set something up so that the MTA on the administrative system tunnels the email to the MTA of something network-connected in a non-tcp/ip kind of way (PTP microwave/laser link, printer-carrier pigeon-scanner combo, ...) that just passes the message over while remaining air-gapped

sophacles 10 years ago | | |

Oh neat... so i just have to own the system by sending a bad attachment (containing the malware), and having exfiltration happen via mail attachments. Got it.

bcoates 10 years ago | | |

I've seen actual near-airgapped systems that communicate by fax as risk reduction. Email-to-fax gateways rendered attachments and such in the DMZ, then dialed into the secure side, the theory being that owning a T1 fax card over the PSTN is much harder than sending a malicious email.

pwg 10 years ago | | |

UUCP delivered email (and Usenet and file transfers) for a very long time before full time network connections became the norm.

https://en.wikipedia.org/wiki/UUCP

So, it is possible to send/receive email without an always on network connection.

jrochkind1 10 years ago | | |

Heck, you could even do it with a never-on network connection, if someone wants to periodically ferry the ingoing/outgoing email over on a drive.

That probably isn't what the requirements makers had in mind though.

mikeash 10 years ago | | |

I can see it now. You spend a month implementing a fancy, modern store-and-forward system that ticks all the boxes and provides an excellent blend of security and functionality. Then you get called into the big shot's office because he wants emails to go through in under ten seconds.

alkonaut 10 years ago |

I thought "air gap" meant a machine or network that is physically separated (these days also without any radio connection) to other machines.

How can those not exist?

genericresponse 10 years ago |

That's why you commit to multiple layers and types of defensive and recovery measures. Intelligence, preparation, prevention, prevention, prevention, monitoring, adaptation, more monitoring, effective response, well planned recovery.

kbenson 10 years ago | |

I'm pretty sure you missed another 2-3 prevention layers. Shit's pretty dire after you're past that layer.

_wldu 10 years ago |

Air gaps can also be bridged by using radio or sound waves. There could be a bunch on non-networked computers in a secure lab all talking to each other. This assumes trojaned hardware and/or operating system software in the systems that can send and receive data and commands.

Finally, technology such as Morse Code is still useful in these scenarios. Dits and dahs. Zeros and ones. That's all you need to be able to send and recv data.

http://www.jocm.us/index.php?m=content&c=index&a=show&catid=...

http://www.wired.com/wp-content/uploads/2014/11/air-hopper-m...

hackuser 10 years ago |

> the blue cables in gas filled tubes

Cat5/6 cables? Why would they be in gas-filled tubes?

wallaceowen21 10 years ago |

Back in the early days of Ethernet there were fiber to AUI widgets, that used 2 multimode fibers, one for TX, one for RX. We used these on classified systems with ony RX connected - we could send data in to these systems over UDP, and it was truly a one-way path.

munin 10 years ago |

> I have seem so many kludges connecting SIPPER and NIPPER networks

I don't know how much I trust someone who can't even get the acronym for SIPR and NIPR right (https://en.wikipedia.org/wiki/SIPRNet https://en.wikipedia.org/wiki/NIPRNet)

andreyf 10 years ago | |

from the link: "SIPRNet and NIPRNet are referred to colloquially as sipper-net and nipper-net (or simply sipper and nipper), respectively"

munin 10 years ago | | |

when you pronounce them, sure, but why capitalize them like an acronym, but mis-spell the acronym?