Last I saw they still have two “special employees” with “read only” access. So he still has “read only” access
But also? They already made code changes. And while I doubt they would be able to do anything meaningful, it is not hard to add another user account or an ssh tunnel to get through the “air gap”. And it would not be beyond musk et al to call that “hacking”.
Just to be clear, I will absolutely create new domain users or add my own ssh keys to an authorized_keys file to escalate privs or move laterally through a network while I’m “hacking”.
Also a malicious actor opening a reverse port forward tunnel with ssh allows them to punch a hole to them on the WAN side of the network when they’re dealing with NAT or firewall rules. If a system is truly airgapped then that accomplishes nothing. You’d need something plugged in to the airgapped system or airgapped network to bridge that air gap, like a usb adapter that has a SIM card in it.
Since we are talking about payment systems that interact with other banking systems, they will not be actually air gapped. By the nature and purpose of the systems in question, they must have access to the physical Internet (even if it is entirely abstracted away under layers of VPNs and encryption).
Assuming them compromised is prudent. Physical access is total access.
Last I saw they still have two “special employees” with “read only” access. So he still has “read only” access
But also? They already made code changes. And while I doubt they would be able to do anything meaningful, it is not hard to add another user account or an ssh tunnel to get through the “air gap”. And it would not be beyond musk et al to call that “hacking”.
Just to be clear, I will absolutely create new domain users or add my own ssh keys to an authorized_keys file to escalate privs or move laterally through a network while I’m “hacking”.
Also a malicious actor opening a reverse port forward tunnel with ssh allows them to punch a hole to them on the WAN side of the network when they’re dealing with NAT or firewall rules. If a system is truly airgapped then that accomplishes nothing. You’d need something plugged in to the airgapped system or airgapped network to bridge that air gap, like a usb adapter that has a SIM card in it.
Since we are talking about payment systems that interact with other banking systems, they will not be actually air gapped. By the nature and purpose of the systems in question, they must have access to the physical Internet (even if it is entirely abstracted away under layers of VPNs and encryption).
Assuming them compromised is prudent. Physical access is total access.