alt Hacker NewsSo, since this seems to be relevant im a CISO myself.
And i would definitely not agree with everything in this letter.
Personally, i think the worst part about it is handling a low probability as something that's not gonne happen. Thats, especially in IT-Sec, one of the worst practices.
To take on point as example - the "never scan public QR codes".
Apart from the fact that there have been enaugh exploits in the past (The USSD "Remote Wipe", iOS 11 Camera Notification Spoofing (iOS, 2018), ZBar Buffer Overflow (CVE-2023-40889), etc) even without an 0day exploit qr codes can pose a relevant risk.
As a simple example, not to long ago i was in a restaurant which only had their menu in form of a qr code to scan. Behind the QR code was the link to an PDF showing the menu. This PDF was hosted on a free to use webservice that allowed to upload files and get a QR code link to them. There was no account managed control about the pdf that they linked to, it could be replaced at any time opening a whole different world of possible exploitations via whatever file is being returned.
Sure you could argue "this is not a QR code vulnerability just bad practice by the restaurant owner" - but that's the point. For the user there is literally no difference if the QR code itself has a malicious payload or if the URL behind it has (etc etc).
While we in the tech world might understand the difference, for the John and Jane Doe this is the same thing. And for them its still a possible danger.
Apart from that, recently a coworker linked me a "hacker" video on youtube showing a guy in an interview talking about the O.MG cable. Sure, you might say this is also an absolutely non standard attack vector, yet it still exists. And people should be aware it does.
My point is - by telling people that all those attack vectors are basically "urban myths" you just desensitize the already not well enough informed public from the dangers the "digital" poses to them. And from my personal view, we should rather educate more than tell them "don't worry it will be fine".
Replies
"Never scan public QR codes" is functionally equivalent to "never type in a URL and never click on a link". Other than the smallish scan-specific attack surface that you mention and then largely dismiss, there's nothing that makes QR codes more dangerous than any other way of delivering links.
It's somewhere between impractical and impossible to evaluate a URL and know anything about its "safety". So if you can't make your Web browser impervious enough to tolerate basically any crap a server may send back to your satisfaction, then your only answer is a total walled garden.
The article doesn't claim that things like O.MG don't exist, just that they're not a serious threat to modern devices. It's explicit on that point.
>Personally, i think the worst part about it is handling a low probability as something that's not gonne happen. Thats, especially in IT-Sec, one of the worst practices.
If you are an online service provider, sure. Low probability means it's going to happen, especially as you scale with users.
For a small business IT team? You can't keep a clean sheet, the strategy is to reduce the probabilities of an incident and reducing its damage, but it will never be zero, if only because you have non-technical users that need to do actual work.
p(incident) is just yet another variable you need to do tradeoff engineering on, and obsessing over reducing it to 0 will probably compromise other tradeoffs like ease of use of the system.
It's a special case of ironic when in an attempt to get a specific variable to 0 (which is impossible with most variables anyways) you end up compromising that specific variable. So if you force users to use lots of passwords and password managers and MFA, and limit their capabilities, they end up circumventing your security systems and advice, so they introduce an issue (but of course it will be the users fault, and not the CISO's fault, their job is secure).
It's funny your warning about QR codes goes onto warn about PDF exploits. Yet you clicked the link to this article, by your own definition opening you up to "a whole different world of possible exploitations via whatever file is being returned". It's the nature of the internet to follow links, but our updated browsers keep us safe from exploits.
When was the last time you saw an un-targeted mass 0-day exploit campaign? There haven't been any for modern browsers. If we're talking about 0-days, you likely known there have been zero-click iMessage/WhatsApp vulnerabilities in the past. There's no protecting against those, but you're not here warning users to disable iMessage and WhatsApp. What's more realistic is making sure users keep their software updated, and trust that QR codes and links aren't going to waste a 0-day worth a million dollars on you.