Who? • March 20, 2025 12:25 PM

@ Clive Robinson

Years ago I sent an email to DISA about some obvious “errors” in some networking-related STIGs that made those technical implementation guides dangerous if followed as published. They replied, in a somewhat unpolited way, noting the obvious (that I am not affiliated with the U.S. army); these technical implementation guides about some well-known routing devices remain unfixed yet.

Same happened again some time later, this time about some CTR and CSIs published by NSA. No answer at all, something I appreciate when compared to DISA reply, but they continue recommending a setup that opens widely known attacks against shared caches in certain processor architectures. Not to say, these documents have been updated at least one time but continue suggesting the insecure settings.

To be honest, I do not trust on what CISA/DISA/NSA may publish.

The current U.S. administration may continue degrading the country cybersecurity and international alliances. If U.S. citizens accept it this way, who am I to disagree?

Clive Robinson • March 20, 2025 12:58 PM

@ Who?, ALL,

With regards,

“To be honest, I do not trust on what CISA/DISA/NSA may publish.”

And so you should not. Likewise you should not trust the word of anyone including me 😉

It’s why I do not like the idea of “Best Practice” that every man and his dog took as an idea from the legal profession. Because there is no such thing as “best practice” and anything written in that regard almost certainly become “out of date” very shortly there after.

What people should do, and few have time to do so is learn what a system does and how and what it’s interactions, strengths, weaknesses and Non Obvious Flaws are.