20 sats \ 1 reply \ @Reachableceo OP 9 Sep 2023 \ parent \ on: What if your threat model does include a nation state ? tech
"North Korea commits cryptocurrency theft by just attacking cryptocurrency exchange platforms and custodians, because the security in most of them suck, and badly."
Yes. This is very true. I enjoyed The Lazarus Heist podcast for a deep dive on all that.
I've toyed around with launching a crypto exchange. Riding the rails of our high assurance and compliant infrastructure we are building out anyway as we go through all the hoops to be a prime US Government contractor with facility clearance etc. Once you have your own proper PKI and K8S, it's amazing how "easy" everything becomes and how low your marginal costs drop. :)
"Companies do little to nothing when it comes to security innovation"
Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors? (I know the blame lies with both). Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
I hang out in /r/netsec and other similar forums.
Thank you for the detailed/principled reply. It's appreciated.
Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors?
Mainly vendors. They'll often drive towards profit and only do what's required or industry standard for their information security or the security of their products - no need to go above since for them that'll just be more costs and less profit. Think the commercialization of products selling security features with special names and marketing frills like 'military-grade' - no innovation when you are doing the same thing as everyone else.
iPhone sells their phone as the most secure when in practice an Android (Pixel) are both extremely similar in their implementations (default disk encryption, private messaging app, permission controls, a secure element etc.), just an example.
Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
A lot of the best results come from groups like this I think. It's likely why Apple and Google (Project Zero) have their own dedicated teams for these things too.
reply